SquigglyMonkey
asked on
Help with Windows DNS
I inherited a windows domain abc.local. It is the only domain in the forest. There was no reverse lookup zones. An external domain requested to be able to have users on abc.local be able to do lookups on their domain def.local. so a conditional forwarder was added to abc.local an nslookups of resources on def.local are successful. With no reverse zones in abc.local, should I create a primary reverse lookup zone for ABC.local and then create a stub zone for def.local?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you all. That is helpful.. Which kind of reverse lookup zone should I create for DEF.local? There are three choices. Primary, secondary, stub. Reads like it should be Stub.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Ideally, if your main network is based on Windows machine, the reverse zone can be integrated to AD.
In that case, the notion of primary or other is not important.
If you have (a lot of) non-Windows machines on the network, consider authorizing non secure updates on this reverse zones. Reverse zones can also be managed by other machines/devices on the network. Forwarding from DNS AD to these devices can also be a solution.
In that case, the notion of primary or other is not important.
If you have (a lot of) non-Windows machines on the network, consider authorizing non secure updates on this reverse zones. Reverse zones can also be managed by other machines/devices on the network. Forwarding from DNS AD to these devices can also be a solution.
The dhcp server can be configured to register IPs on behalf of clients elinating the need of granting non-secure update to a zone.
ASKER
Should I create a Primary reverse lookup zone in ABC.local, then make a secondary, or Stub zone for DEF.local? These domains are separate and not in the same forest.
The dhcp server can be configured to register IPs on behalf of clients elinating the need of granting non-secure update to a zone.yes, but only for clients using DHCP, not for Linux server and similar devices
Imho, static IP assignments should be manually added. If you allow a server to register their static IP and you have record scavanging enable, the static IP record will be removed by the scavanging process.
Ip/host registrations only occur at boot. There are no maintenance updates
Same applies with forward hostname registration.
Added records are exempt, never expire and are not subject to scavanging.
Ip/host registrations only occur at boot. There are no maintenance updates
Same applies with forward hostname registration.
Added records are exempt, never expire and are not subject to scavanging.
The problem is that you are not proprietary of all IPs on the network, even in the Windows subnet.
And you don't manage all servers, particularly if you usually manage the Windows part.
People that manages other machines (sometime developers) can change/update their machines, or add new machines.
Dynamic reverse zones are very useful for that.
And as AD domains never use reverse zones, it has no impact on its security.
And you don't manage all servers, particularly if you usually manage the Windows part.
People that manages other machines (sometime developers) can change/update their machines, or add new machines.
Dynamic reverse zones are very useful for that.
And as AD domains never use reverse zones, it has no impact on its security.
Deman-Barcelo, because someone might do something why not throw ones hand up in the air and be done with it.
From a small organization to a large one, the management of IP utilization has to be administered to avoid someone like a developer, bringing up an IP on the network that could impact other services.
Making an update insecure is worse, as it could enable anyone issue an update to clear a record and register another.
usually, developers who can add machines to their network, are isolated to a subnet where they can do no harm.
From a small organization to a large one, the management of IP utilization has to be administered to avoid someone like a developer, bringing up an IP on the network that could impact other services.
Making an update insecure is worse, as it could enable anyone issue an update to clear a record and register another.
usually, developers who can add machines to their network, are isolated to a subnet where they can do no harm.
ASKER
Still in the same boat, but I'm not seing a downside to creating the reverse lookup zones. I am wondering if I create
a secondary or Stub zone in ABC.local for DEF.local.
Also, there is no DHCP, only static addreses.
One more thing, as Deman mentioned about security software, that is one reason the scan team asked about getting the reverse lookup zones, so their scans would return names, instead of IP's.
a secondary or Stub zone in ABC.local for DEF.local.
Also, there is no DHCP, only static addreses.
One more thing, as Deman mentioned about security software, that is one reason the scan team asked about getting the reverse lookup zones, so their scans would return names, instead of IP's.
It would be a primary stub zone for def.local with
@ IN NS dc1,def.local.
@ in NS dc2.def.local
@ IN NS dc3.def.local
dc1 IN A x.x.x.x
dc2 IN A x.x.y.y
dc3 IN A x.x.y.z
you could script through the use of powershell to add the reverse dns entries for the systems defined in the forward zone.
@ IN NS dc1,def.local.
@ in NS dc2.def.local
@ IN NS dc3.def.local
dc1 IN A x.x.x.x
dc2 IN A x.x.y.y
dc3 IN A x.x.y.z
you could script through the use of powershell to add the reverse dns entries for the systems defined in the forward zone.
Using conditional forwarding is also a good way to manage some specific zones (as reverse zone) on some specific DNS servers to centralize the information.
If you configure the same reverse Zone (for a specific subnet) on several DNS servers in different domains, each DNS server could have only a partial view of the zone.
IPv4 is "easy" to manage, but I don't see a lot of management for IPv6!
If you configure the same reverse Zone (for a specific subnet) on several DNS servers in different domains, each DNS server could have only a partial view of the zone.
IPv4 is "easy" to manage, but I don't see a lot of management for IPv6!
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- 'Michael Pfister' (https:#a43318869)
-- 'DEMAN-BARCELO (MVP) Thierry' (https:#a43319092)
-- 'arnold' (https:#a43320019)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- 'Michael Pfister' (https:#a43318869)
-- 'DEMAN-BARCELO (MVP) Thierry' (https:#a43319092)
-- 'arnold' (https:#a43320019)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
One should add their local IP ranges as reverse zones.
It helps maintain, track ip use by server static IPs used by devices.