On 2014-06-03 05:49, Carsten Strotmann wrote:
Dave Warren writes:
Obviously it's not a suitable replacement for Active Directory driven
DNS.
why not? It is best practice to separate DNS resolver (caching DNS
server like Unbound) and authoritative Server. While WinDNS can be used
in both functions, it makes a good resilient and manageable DNS design
to separate the DNS server functions on dedicated machines.
In general, I agree that it makes sense to split authoritative and
resolver roles. However, in the case of Windows and Active Directory,
Active Directory is built under the assumption that your DNS servers
accept AD authenticated dynamic updates, both from AD itself and from
clients, so it's best practice to only specify Microsoft DNS servers for
Active Directory domain controllers, member servers and workstations
when possible.
While you can do it via other methods (setting up AD's entries manually
or forwarding the appropriate zones), it takes a lot of head-banging to
get everything working and if you mess it up, the effects are subtle and
intermittent since parts of Windows will fall back on broadcasts and
other unreliable methods, and therefore will sometimes work even with
DNS misconfigured.
Also keep in mind that Microsoft's authoritative DNS is multi-master and
site-aware (so a machine registered in the current site will be
immediately available in DNS to the current site, but might take time to
propagate to other physical sites in the same DNS zone, balancing the
need for quick updates vs keeping the number of updates between sites
reasonable)
My theory is that each site (physical location as well as Active
Directory site/subnet) would have one unbound server that performs
internet resolution, with multiple AD servers that forward to the
unbound server.
Unbound will nicely work as an secure DNSSEC validating resolver,
resolving Internet names and also (possible) local Active Directory
names that are stored on WinDNS AD integrated servers.
Microsoft DNS's DNSSEC support is limited at best, and it has no
pre-fetch support at all, so I'd like to use unbound for primary DNS
resolution. However, hosting Active Directory on anything but
Microsoft's DNS is outside of best practices for Active Directory.
However, even here, there's an interesting performance question: Is
it worth installing unbound and forwarding Microsoft DNS to unbound, or is it
better to let Microsoft DNS perform it's own resolution?
Forwarding is (today) probably almost always slower than direct name
resolution (and more complicated and brittle), unless you are connected
to the Internet with a slow link. I recommend to not use forwarding
unless there are very special conditions.
Unbound as a direct resolver might be faster than having WinDNS as a
direct resolver.
It might. If so, I'd like to know how much faster or slower the servers
are on their own, but also how much overhead is involved if Microsoft's
DNS sits in the middle to see if complying with best practices is
appropriate, or if there's a technical justification to go with a more
complicated setup.
I have the impression that Microsoft DNS isn't particularly speedy, but
I have not actually attempted to benchmark it since Windows 2003 vs an
appropriate era BIND. At the time, BIND was faster, but only slightly,
but since this design effectively allowed for a shared cache, the
real-world performance was significantly improved.
My guess is that having several Microsoft DNS servers forward to a
single unbound server which does resolution of all non-local zones will
ultimately be slightly faster than having multiple Microsoft DNS servers
do the work themselves, but even if it's ultimately slightly slower,
gaining the benefits of Unbound's DNSSEC validation probably make it
worthwhile. But if it's a lot slower, I would definitely be open to
other configurations.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
