# BIND DNS & Windows Domain

## Crimjob

Hi All,

I've been trying to find a solution to my mess for awhile but nothing I have found online has worked for me yet.

I have a Windows Server 2008 Active Directory Domain, a Linux RAIDed Storage Array, a Linux router (running 2.6.28-hardened-r9, iptables, dhcpd) and multiple Windows and Linux hosts (all Linux boxes are running Gentoo). I do have an issue with dhcpd being unable to do reverse mappings due to timeout, but I feel that might be related to my DNS issues.

What I would like to do, is set up a local BIND server on the Linux router, have it take care of local networking (being fully aware that my 2k8 Server box is a Windows Domain Controller, so I can add computers to the domain and communicate with the controller), but forward all "external" requests (anything outside of my LAN) to Google's DNS servers (8.8.8.8 & 8.8.4.4).

There are just so many pieces of documentation out there, and they're all slightly different. I've tried mish mashing a few together to do what I want, but I have yet to be successful, so hopefully someone can point me in the right direction  :Smile: 

Edit: I've performed some steps mentioned and that has made the situation better, but I'm still unable to do what I need. When I try to resolve the domain (by joining a new workstation to the domain) using this config I am unable to resolve the name and the computer is unable to join the domain.

----------

## Casshan

I would check out dnsmasq (http://www.thekelleys.org.uk/dnsmasq/)

Its a DNS forwarder, so you can forward all requests the google servers, but you can also forward specified domains to other DNS servers like your windows domain. I have used this at a few different place for the exact thing you are describing.

----------

## Crimjob

Thanks for the suggestion, but that'll be my last resort. I also have a bunch of external servers to my LAN that use BIND and do not require DHCP and I like to keep my OS's consistent. I know I can't be the first one who's doing this  :Smile: 

As it works now, my Primary DNS server is my Linux Router, and my Secondary DNS server is my Windows 2008 box. If I switch the order on Windows hosts, they can contact the domain controller without issue. If I use the Linux Router as the Primary DNS server on the Windows hosts, they cannot resolve the name of the domain (either time out trying to connect to domain or while trying to grab the group policy).

I've set up both domains to forward requests to each other before going out to external DNS but that doesn't seem to have made a difference. It's also really annoying because some hosts exhibit no problems (those that have been Domain connected before this issue), and others have an insanely slow (10+ minute) startup as they are unable to contact the domain.

----------

## Casshan

You could setup a zone transfer of the windows DNS zone to your bind server:

zone "windows.local" in {

    type slave;

    file "sec/windows.local";

    masters { 192.168.2.10; };

};

Just changed the name and master to the full windows domain and the IP address of your domain controller. You also need to enable zone transfers on the Windows side. Probably want to also configure notification on the windows DNS side as well.

----------

## nativemad

The problem is that windows tries to update their DNS-entry on their configured DNS-Servers... So you need to have these zones writable on whichever DNS-Server is configured on their side! (or you can setup dhcpd to update bind directly and ignore the errors on the client-sides eventlog!)

Also the special ADS zones (like _msdcs.yourdomain, _sites.yourdomain, _tcp.yourdomain as well as _udp.yourdomain) have to be available on the configured DNS-Servers (and be writable at least from the domaincontrollers)! Otherwise the win-clients can't fetch GPOs or get kerberos-tickets and so on (like you said a 10 minute logon!   :Wink:  )

----------

## Casshan

I still think DNSMasq would work well, you can disable the DHCP part of it and use it purely as a "DNS Router". I have not tried to see if a windows client can update it self if DNSMasq is involved.

----------

## nativemad

 *nativemad wrote:*   

> 
> 
> Also the special ADS zones (like _msdcs.yourdomain, _sites.yourdomain, _tcp.yourdomain as well as _udp.yourdomain) have to be available on the configured DNS-Servers (and be writable at least from the domaincontrollers)! Otherwise the win-clients can't fetch GPOs or get kerberos-tickets and so on (like you said a 10 minute logon!   )

 

I just thought about it once again and found a working bind-config with conditional forwarding for the ads zones somewhere in a production environment...!   :Razz: 

That way you can have it like dhcpd updates the zone .linux.local and win clients do updates on the pdc's windomain.local! The machanism to update the dns-server on the pdc isn't always reliable, but it works mostly, even if the configured dns-server is the bind host!

these special zones can be implemented in bind itself, but they dont have to, if you really split the local zone!

I'm not sure, if conditional forwarding can be done with dnsmasq, but if it does, then it should also work!

heres are the relevant parts

```

allow-recursion { 127.0.0.1; 10.0.0.0/8; }; // allow recursive lookups

forward first;

forwarders

{

8.8.8.8; //google

8.8.4.4;

};

zone "windomain.local" IN {

type forward;

forwarders {

10.1.1.1; //our DC

};

};

//my private domain

zone "linux.local." IN {

type master;

file "pri/private.domain.hosts";

allow-update { 127.0.0.1; }; //only allow lo to update DNS zone files (DHCP)

notify yes;

};

```

Of course you need a few more zones like the reverse ones, but they are really common...  :Wink: 

have fun!

----------

## Crimjob

 *nativemad wrote:*   

>  *nativemad wrote:*   
> 
> Also the special ADS zones (like _msdcs.yourdomain, _sites.yourdomain, _tcp.yourdomain as well as _udp.yourdomain) have to be available on the configured DNS-Servers (and be writable at least from the domaincontrollers)! Otherwise the win-clients can't fetch GPOs or get kerberos-tickets and so on (like you said a 10 minute logon!   ) 
> 
> I just thought about it once again and found a working bind-config with conditional forwarding for the ads zones somewhere in a production environment...!  
> ...

 

Well it has assisted overall but has not fully fixed the issue. After applying your config (including my existing reverse zones etc.) I was able to get an existing domain computer (that was joined by manually changing the DNS server order) to contact the domain controller (albeit gave me an error, it was able to realize I had changed my password), but upon attempting to join a new computer to the domain, I am still unable to resolve the domain controller. I was able to properly configure the Windows DNS to accept from the BIND DNS but something is still not right.

Where can I begin troubleshooting? This is my named.conf

```
options {

        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,

        // and change the forwarding ip address(es) :

        allow-recursion { 127.0.0.1; 192.168.0.0/16; };

        forward first;

        forwarders {

#               192.168.0.2;

                8.8.8.8;

                8.8.4.4;

        };

        listen-on-v6 { none; };

        listen-on { 127.0.0.1; 192.168.0.1; };

        // to allow only specific hosts to use the DNS server:

        allow-query { any; };

        zone-statistics yes;

        statistics-file "var/log/named.stats";

        // if you have problems and are behind a firewall:

        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

        # allow zone transfers to the listed slave servers.

        # it's always a good idea to replicate your DNS information.

        allow-transfer { 192.168.0.2; };

        # traditionally slave servers would ask for updates every so often.

        # newer versions of BIND allow slaves to be notified on changes for

        # speedier data distribution.

        notify yes;

        # the default recursion setting:

#        recursion no;

};

// Briefly, a zone which has been declared delegation-only will be effectively

// limited to containing NS RRs for subdomains, but no actual data beyond its

// own apex (for example, its SOA RR and apex NS RRset). This can be used to

// filter out "wildcard" or "synthesized" data from NAT boxes or from

// authoritative name servers whose undelegated (in-zone) data is of no

// interest.

// See http://www.isc.org/products/BIND/delegation-only.html for more info

# our 'local' view will be accessible only within the LAN.

# the name is arbitrary; we have chosen 'local' for convenience

view "local" {

  # any local subnets that should see this zone should be listed below.  You can                                                                                         also list

  # specific IPs if you prefer.

  match-clients {  192.168.0.0/16; 127.0.0.1; };

  recursion yes;

  # private-only zones go here!

zone "windomain.local" IN {

type forward;

forwarders { 192.168.0.2; };

};

  zone "brokencouch.local" IN {

     type master;

     # the file stores the zone record.

     file "pri/brokencouch.local.fw";

     allow-update {127.0.0.1; };

     notify yes;

  };

  zone "0.168.192.in-addr.arpa" IN {

     type master;

     file "pri/brokencouch.local.rev";

     allow-update {127.0.0.1; };

     notify yes;

  };

};

view "public" {

  match-clients { any; };

  recursion no;

  # public-only zones go here!

  zone "brokencouch.org" IN {

     type master;

     file "pri/brokencouch.local.fw";

  };

};

```

----------

## nativemad

Honestly, i don't know if it works through the win-gui to join the domain itself, as we have some restrictions in place anyway.... (ADS with +70'000 Users)

We always do that with a bat file like the following (win.domain.local is the domainname in this example)

@echo off

rem ---the following is a one-liner!!

netdom JOIN %computername% /domain:WIN.DOMAIN.LOCAL /ou:ou=OUR-OU,ou=Workstations,dc=win,dc=domain,dc=local /userd:WIN.DOMAIN.LOCAL\Adminuser /passwordd:Userpass

net localgroup "hauptbenutzer" "win\ourusersgroup" /add

net localgroup "power users" "win\ourusersgroup" /add

What kind of error did you got then?

----------

## darkphader

Maybe this will help. Not sure if it's what you're trying to do but here's what I do at one account:

I let the Windows AD handle DNS for the internal domain. Not that I particularly like the Windows DNS server but it's simpler than all of the hoop jumping otherwise needed. However, I do want the Windows DNS server isolated from the outside world (anyone can understand this) so I run a DNS cache on one of the Gentoo servers. In this case it isn't the router (I use OpenBSD for this purpose), nor is the DNS cache BIND (I use Unbound), nor do I use Google's public DNS servers (I use OpenDNS as it allows some nice site blocking via categories, etc.). But the concept is the same.

This way the Windows boxen automatically register themselves with the AD's DNS server, the non-Windows boxen get their DNS added manually (to the AD DNS server and the IP addresses are reserved in the DHCP server). All boxen point to the Windows DNS server for DNS resolution (even the Gentoo box running Unbound has its resolv.conf pointing to the Windows AD/DNS box). The Windows DNS server is not recursive, it forwards all requests that it is not authoritative for to the DNS cache running on the Gentoo box (you can set up BIND to just be a cache, although you might want to give Unbound a try). The DNS cache on the Gentoo box forwards requests to OpenDNS (it could of course be any available public DNS or totally be a recursive cache as well).

Of course the firewall blocks all outbound requests to port 53 from all but the Gentoo box running Unbound. And as a finer point, the dnsclient service on all of the Windows boxen is disabled. It's just a machine local cache and when you have a fast cache on your local subnet it just gets in the way - it can often be out-of-date and can slow down resolution.

Basically I've accomplished having a fast local DNS cache for the internal network, while providing a layer of security via use of some OpenDNS features, and without exposing the Windows DNS service to the Internet. The firewall prevents any attempts to circumvent DNS policy by blocking access to port 53 from all but the DNS cache setup on the Gentoo box.

Chris

----------

