[SAGE] Microsoft DNS and BIND
Paul Lussier
p.lussier at comcast.net
Fri Jun 8 12:30:28 EDT 2007
This mail came across the USENIX/SAGE list earlier this week. Given
that there are several on this list who must deal with DNS and
Microsoft, I thought it would useful information to cross-post here:
> -------------- Original message ----------------------
>>
>> Hi all,
>>
>> We're looking at using Microsoft's DNS server as a master and
>> centralized management point to control all zones. We would like to
>> do secure zone transfers with TSIG to Linux servers running BIND9.
>>
>> Does anyone have any experience or know any good references on how
>> to get these two DNS servers talking to each other?
>>
Interesting response:
> Some things to be careful of!
>
> Microsoft DNS has some weird habits to overcome the defecincies of the
> Microsoft DHCP servers and DDNS. Out of the Box, Windows clients are
> configured to update their own DNS records. However they only update
> the forward records. And you can get into update storms from various
> clients replacing current information with their own. Reverse records
> can go missing for this set up.
>
> Removing that option from the clients and putting it onto the DHCP
> system allows the DDNS to populate both the forward and reverse
> records. Sounds good so far huh?
>
> Watch out though! When DHCP addresses expire, the MS DHCP server
> removes the forward records and leaves the reverse records behind, so
> you end up w/ lots of wrong reverse records. Microsoft tries to fix
> this with garbage collection on unused reverse records, but since
> machines can have multiple reverse records, there's always extra dead
> records hanging around that have to be cleared out by hand.
>
> Also, the TTL on DDNS records is low (the Windows admins here use 15
> minutes) so there's gonna be a Lot of update traffic running
> around. We made the mistake of letting a Microsoft DHCP server update
> our BIND servers via DDNS, and we see up to 6 reverse records pointing
> to the same IP. Also we are getting ~ 500 DDNS requests per
> second...and this is just for ~700 Windows clients.
>
> To BIND's credit, it isn't even breking a sweat on this, nor the 15000
> Lame server messages per second from outside sources.
--
Seeya,
Paul
More information about the gnhlug-discuss
mailing list