Windows AD DNS Server Per NIC Responses with ZeroTier
-
I actually was thinking about things like two separate NICs in a DNS server that sits on 2 networks that don't have access to one another.
I don't want the DNS server giving out 192.168.50 addresses on the 192.168.30 subnet.
-
@dafyre said:
I actually was thinking about things like two separate NICs in a DNS server that sits on 2 networks that don't have access to one another.
I don't want the DNS server giving out 192.168.50 addresses on the 192.168.30 subnet.
What is the underlying purpose of the dual homing?
-
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
-
@dafyre said:
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
Why are the subnets unrelated if single devices have to sit on both of them? They must be somehow related. Why isn't there a third, service network for the shared services? Once you multi-home you are tying the networks together, just in a poor way.
-
@scottalanmiller said:
@dafyre said:
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
Why are the subnets unrelated if single devices have to sit on both of them? They must be somehow related. Why isn't there a third, service network for the shared services? Once you multi-home you are tying the networks together, just in a poor way.
Only if you are using a device for routing. And that is not what I want done...
What I want is Split-Brain DNS (coming Feature in Server 2016, http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx)... Guess I gotta wait a few more weeks.
My primary use case would be for something like with ZeroTier, but I could see it being useful under certain types of lab conditions as well.
-
But why don't you want that done? You are leading with your tech want, but what is the business need? What is the business factor pushing you to dual homing?
-
Just to be clear, I've answered my question -- I didn't know what it was called, but it is called Split-Brain DNS. If you are a Windows shop, you get that feature in Server 2016.
===
You know as well as I do that a Lab environment needs to be isolated from the network, and it some shops, the lab network doesn't even have internet access. I'd like to have my lab network connected to a multihomed DNS server simply because I can. I want to know if the tech can do what I want it to do. No other reason is necessary.
-
@dafyre said:
You know as well as I do that a Lab environment needs to be isolated from the network, and it some shops, the lab network doesn't even have internet access. I'd like to have my lab network connected to a multihomed DNS server simply because I can. I want to know if the tech can do what I want it to do. No other reason is necessary.
That's fine. If it is a lab you can obviously do whatever you want to do.
For isolation, though, just to be clear and for anyone who reads this and gets the wrong idea from the statement made above, dual homing has always been avoided for security reasons. So if the goal is to isolate a lab from product, or whatever, that is why you avoid dual homing and use a service network. Because the dual homing exposes the product to the lab more, rather than less, than a service network.
I just don't want others reading along and not realizing that this is a lab for a lab's sake and thinking that there is a standard product network design pattern here.
-
@dafyre said:
You know as well as I do that a Lab environment needs to be isolated from the network.... can. I want to know if the tech can do what I want it to do. No other reason is necessary.
This is the bit that I was concerned about. Lacking the lab isolation that I was suggesting. I realize not everyone needs their lab fully isolated, just seems simpler since it would be safer, easier and fix the issue that this thread was about all in one step. I'm saying that a fully isolated lab is easier.
-
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
-
@Dashrender said:
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
No, not in that way. AD would be extended by LDAP and Kerberos. DNS is just a lookup service. Although this would theoretically expose information about AD, not very much. For full separation you would go with separate DNS in each place. But sharing DNS is pretty trivial as exposure goes.
-
@scottalanmiller said:
@Dashrender said:
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
No, not in that way. AD would be extended by LDAP and Kerberos. DNS is just a lookup service. Although this would theoretically expose information about AD, not very much. For full separation you would go with separate DNS in each place. But sharing DNS is pretty trivial as exposure goes.
if the lab machines aren't part of AD, how are they adding entries to DNS? This is all assuming a Windows DNS.
-
@Dashrender said:
if the lab machines aren't part of AD, how are they adding entries to DNS? This is all assuming a Windows DNS.
I think that I missed that they were adding their own entries. You can add things manually to DNS.
-
If you use Windows for DHCP, Linux can update DNS records that way without being part of AD:
http://www.virtxpert.com/allow-linux-to-register-records-with-windows-dns-and-dhcp/
-
I mention Linux here because it is the most extreme case. If Linux can do it, Windows can too.
-
Chances are if Linux can do it, it probably does it better than Windows, lol.
-
@dafyre said:
Chances are if Linux can do it, it probably does it better than Windows, lol.
And even moreso when virtualized.
-
@dafyre said:
Chances are if Linux can do it, it probably does it better than Windows, lol.
I would second that.
