Main Area and Open Discussion > General Software Discussion

Looking for Free Linux DNS server

(1/3) > >>

Stoic Joker:
Okay, I'm probably completely nuts on this one...but I thought I'd ask anyway.

We have a client that got talked into going with a cloud server for their Windows domain via VPN. ...I'll pause here a bit so you can cringe to...

... :D ...

...So as to be expected, the tunnel goes down from time to time (daily...) which prevents the client machines from accessing the (remotely hosted - cloud situated) domain DNS which is of course running in the remotely hosted (cloud situated) DC. So whoever set this (kluge) up made the obvious (mistake) assumption that they could just add the ISP's DNS server as the secondary DNS server for the client machine (turning everything to shit) so that the users could still access the internet when the tunnel went down...in what was described as a daily fashion.

Is it even necessary to say that the aforementioned configuration is doomed to fail (catastrophically)?

So anyway, just for a bit of cost cutting fun (server OSs being $$$), I thought I'd inquire if any one could think of a free Linux/Unix based DNS solution that could properly handle the DNS records for (_msdcs.*) a Windows domain. GUI-less CLI preferred.

Thank you,

40hz:
I heard it's been attempted. And it's not worth the effort based on everything I've ever read about it by those who tried - and failed.

Windows has that fairly weird implementation of DNS for AD that we all 'love,' which doesn't like it not being under the control of a Windows server.

The present setup you're describing is absolutely doomed to failure. As in epic. No two ways.

Holding out false hopes only gets your client pissed off. Best just let it happen and skip the science fair projects. Once it really tanks on them they'll let you fix it correctly.

Just my :two: anyway.

Stoic Joker:
I heard it's been attempted. And it's not worth the effort based on everything I've ever read about it by those who tried - and failed.-40hz (February 05, 2013, 04:31 PM)
--- End quote ---

Crap, I was hoping it would at least point to the DC properly so I could use caching for the rest.

The present setup you're describing is absolutely doomed to failure. As in epic. No two ways.
-40hz (February 05, 2013, 04:31 PM)
--- End quote ---

Count with me brother, 5... 4... 3... (hehe) Why is it that nobody ever seems to read that chapter of the manual?? DNS really is simple as hell.

Holding out false hopes only gets your client pissed off. Best just let it happen and skip the science fair projects. Once it really tanks on them they'll let you fix it correctly.-40hz (February 05, 2013, 04:31 PM)
--- End quote ---

I hear Ya. I just thought it might be a (cheap fix) fun place to stick Linux ... Did I mention that they have 6 locations this into this mess?

x16wda:
It seems to have worked for this guy using BIND.

I had BIND set up and working fine for my old company, then we put in Bay infrastructure and installed Bay's NetID to combine DNS and DHCP.  (Wow, how overly complicated can you get!)  But of course then A/D came in (which was a good choice for this company) and since we had the DCs everywhere that took care of our DNS needs without additional infrastructure.

40hz:
@x16 - interesting and thx for the link. I'm working my way (slowly) through it. :Thmbsup:

A crony of mine also just sent me a copy of this post found over on linuxquestions.org

It's fairly long:

SpoilerActually Microsoft has made it even easier with Server 2008 R2 and Windows Server 2012.

How i got bind as primary DNS server for domain (.home) running alongside Windows ADDS Domain running on 2008 R2 (homedomain.home) running on same network:
in bind on linux (ubuntu):
in /etc/bind/named.conf.local add:

zone "homedomain.home" {
type slave;
masters { $IPv4_addr_of_DC ;};
notify yes;
allow-transfer {any; };
allow-query {any;};
};

zone "_msdcs.homedomain.home" {
type slave;
masters { $IPv4_addr_of_DC };
notify yes;
allow-transfer {any; };
allow-query {any;};
};

then on your DC and load the DNS mmc snap-in:
for both Forward Lookup Zones
_msdcs.homedomain.home
homedomain.home
select Properties and on the Zone Transfer tab select "Only to the following servers".
click edit and add ipv4 address of your linux bind server.

reload configuration in bind
Your Windows Vista, 7, 8 and Server 2008 R2 and 2012 workstations and servers will now identify the SOA for the Active Directory Directory Services.
This works from installer and from change computer name dialogs.
I found that as soon as i added the _msdcs forward zone domain was found immediately.

As stated in the thread, _ldap._tcp.dc._msdcs.DOMAIN.COM is the really important SRV pointer for adding machine to domain bootstrapping, but hardcoding it into a subzone in bind is a silly idea.
by setting up the _msdcs forward zone as a slave you will have full AD functionality being served from your bind while AD DS maintains state of your domain in its structure

hope this helps someone


EDIT:

From "Pro DNS and Bind" by Zytrax:
---
check-names

check-names (warn|fail|ignore) ;
check-names fail;

The check-names statement will cause any host name for the zone to be checked for compliance with RFC 952 and RFC 1123 and take the defined action. Care should be taken when using this statement because many modern RRs e.g. SRV use names which do not meet these standards (they contain underscore) but which are permitted by RFC 2181 which greatly liberalized the rules for names (see labels and names). The default is not to perform host name checks. check-names may also appear in a view or options clause where it has a different syntax.
---

you may need the check-names ignore directive in your slave definitions as lots of AD DS style queries use underscores if you are enforcing RFC 952 style hostnames.
Last edited by MiWLinuxQuestions; 10-27-2012 at 06:18 AM.
--- End quote ---


I don't know if this solution is specific to the 2k8-R2/2k12 servers, although I would suspect it is since integrating BIND with AD didn't seem to be very workable for 2k3 and earlier. Possibly MS changed their data structures to be more standards compliant? Either way, the above may be worth a try. Doesn't look too complicated to set up.

 :)

Navigation

[0] Message Index

[#] Next page