"Lawrence K. Chen, P.Eng." <lkc...@ksu.edu> wrote:
Hmmm, so that explains what I'm seeing in my logs of my nameservers getting hammered by AD. Should I be worried? Is there anything that could be done on my end to help reduce the impact? ---- On our campus, we have always allowed delegation of subdomains to department nameservers, with the requirement that we be secondary to them. Some departments also have other domains on their nameservers, again have us as their secondary (and often we're the only published nameservers for these domains.) But, AD was different...they did their own thing. Except there's this problem now with their authoritative servers also being open recursive query resolvers ... exposed to the whole world. Since they won't turn off recursion (and there's no way to limit its scope) So, we've started pushing that they need to use us as secondaries. Right now it has only been tested with Central AD, where I'm seeing one DC sending updates ranging from a few minutes to a few hours. While the other DC is trying at intervals of 2-9 minutes, but its N-1.... Though when they were first trying to get it going...they had some trouble, which turned out that it thought the IP space of my nameservers belonged to it and that my nameservers were not part that space. Namely, one of my DNS vlans is 129.130.254.0/28 (ns-1.ksu.edu lives here, ns-2.ksu.edu/ns-3.ksu.edu live in the other one)...where some other portion of the /24 is a vlan that they have servers in. Hmmm, I noticed in the dump of ads.ksu.edu, it has A records for my nameservers....is that a problem?
Where I used to work, there was NO computer that had an AD DNS Server address in its TCP/IP configuration. ALL computers used the two BIND internal servers for their DNS resolution. The Domain Controllers were NOT accessible from the Internet, so we were not worried about Internet access to those DC DNS Servers. Only one sub-domain was completely DHCP-dynamic and mastered on a Windows DC DNS, so with the exception of this forward zone and its five /24 reverse zones, the only zones on the Windows DCs were the AD zones - _msdcs, _sites, _tcp, and _udp. The forward and reverse zones were on the BIND servers only, and all these "_" zones were slaved on the BIND servers. --Barry Finkel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
