Back to Active Directory, Route 53 DNS



  • Hi everybody, after a long period without any AD, we discover that being without is just more costly and complicated, so I'm planning to go back to on-premise AD.
    This time I want to use Route 53 as the DNS and not the MS one, any hints about the record I'll need?



  • If for some reason I didn't want to use MS DNS with AD, I'd set that all up first anyways, and then export the zones to migrate it to a different DNS solution.

    Any reason in particular you don't want to use the built-in DNS with AD? It's so easy and effortless, especially if you are using MS DHCP servers and other MS crap.



  • What about not having AD is costly? MS licensing is very expensive. I can't imagine it being more costly without it, especially with solutions such as SaltStack.



  • Main reason I can think of to use non Windows DNS/DHCP is for non windows devices (i.e. things that need network access but don't use any Windows Services).

    For those things I'd put them on their own network and use something else to provide those services to those devices (save on licensing).



  • @tim_g said in Back to Active Directory, Route 53 DNS:

    What about not having AD is costly? MS licensing is very expensive. I can't imagine it being more costly without it, especially with solutions such as SaltStack.

    I was wondering the same thing.



  • @dashrender said in Back to Active Directory, Route 53 DNS:

    Main reason I can think of to use non Windows DNS/DHCP is for non windows devices (i.e. things that need network access but don't use any Windows Services).

    He needs AD he says so I assume he has a lot of MS / Windows. Thats not a reason to use it, but just pointing that out. Typically MS DNS is installed with the first DC so I can't imaging how using something else is easier. I have tons of linux using MS DNS and DHCP without any issues ever.



  • @tim_g I want to rely completely on external DNS like route 53 because of reliability, we already are on that. DHCP is on ubiquiti.



  • @tim_g said in Back to Active Directory, Route 53 DNS:

    @dashrender said in Back to Active Directory, Route 53 DNS:

    Main reason I can think of to use non Windows DNS/DHCP is for non windows devices (i.e. things that need network access but don't use any Windows Services).

    He needs AD he says so I assume he has a lot of MS / Windows. Thats not a reason to use it, but just pointing that out. Typically MS DNS is installed with the first DC so I can't imaging how using something else is easier. I have tons of linux using MS DNS and DHCP without any issues ever.

    After many tries with Dropbox + Azure AD or saltatack with local user etc. I just found more simple and cost effective just to use AD. We already have Windows server licensing in place for other reasons.



  • And your AD server is more reliable than a simple DNS service on the same server?

    You could point you AD DNS server to route53, and also configure DHCP to assign your route53 DNS as the second DNS server. That way you get the ease and convenience of not having to screw with external DNS with AD.

    Lots of options, but it will be more of a pain in the ass to not use MS DNS with AD. It'll work though.



  • Anyways, I'd still set up MS DNS with your first DC so you can just more simply export your zones over. Then after testing you can uninstall you MS DNS.



  • @tim_g said in Back to Active Directory, Route 53 DNS:

    And your AD server is more reliable than a simple DNS service on the same server?

    You could point you AD DNS server to route53, and also configure DHCP to assign your route53 DNS as the second DNS server. That way you get the ease and convenience of not having to screw with external DNS with AD.

    Lots of options, but it will be more of a pain in the ass to not use MS DNS with AD. It'll work though.

    AD is not nearly as critical as DNS. I can be without AD server for a week without noticing it.



  • @tim_g said in Back to Active Directory, Route 53 DNS:

    And your AD server is more reliable than a simple DNS service on the same server?

    You could point you AD DNS server to route53, and also configure DHCP to assign your route53 DNS as the second DNS server. That way you get the ease and convenience of not having to screw with external DNS with AD.

    Lots of options, but it will be more of a pain in the ass to not use MS DNS with AD. It'll work though.

    The master-slave idea is great, I already consider it and it sounds good to me also.



  • @francesco-provino said in Back to Active Directory, Route 53 DNS:

    @tim_g said in Back to Active Directory, Route 53 DNS:

    And your AD server is more reliable than a simple DNS service on the same server?

    You could point you AD DNS server to route53, and also configure DHCP to assign your route53 DNS as the second DNS server. That way you get the ease and convenience of not having to screw with external DNS with AD.

    Lots of options, but it will be more of a pain in the ass to not use MS DNS with AD. It'll work though.

    AD is not nearly as critical as DNS. I can be without AD server for a week without noticing it.

    Right, but that's why almost everything asks for at least two DNS servers in IP configurations. Many allow you to configure more.

    If you can be without it for that long and not notice, it doesn't seem you have any services really relying on it... which makes me further lean towards Salt. Salt is extremely easy to use. Did you give it a fair chance and learn it?



  • @tim_g said in Back to Active Directory, Route 53 DNS:

    @francesco-provino said in Back to Active Directory, Route 53 DNS:

    @tim_g said in Back to Active Directory, Route 53 DNS:

    And your AD server is more reliable than a simple DNS service on the same server?

    You could point you AD DNS server to route53, and also configure DHCP to assign your route53 DNS as the second DNS server. That way you get the ease and convenience of not having to screw with external DNS with AD.

    Lots of options, but it will be more of a pain in the ass to not use MS DNS with AD. It'll work though.

    AD is not nearly as critical as DNS. I can be without AD server for a week without noticing it.

    Right, but that's why almost everything asks for at least two DNS servers in IP configurations. Many allow you to configure more.

    If you can be without it for that long and not notice, it doesn't seem you have any services really relying on it... which makes me further lean towards Salt. Salt is extremely easy to use. Did you give it a fair chance and learn it?

    One thing is to have AD infrastructure in place (that can cache credential and policy for a long time), another one is to have one or more DC always available.

    I like salt and I use it for my Linux environments (now learning ansible), but I just prefer the AD integration with many services like our ERP.



  • If your ERP didn't integrate with AD, what authentication would it use?

    what was the issue with DropBox and Azure AD? is your issue the lack of a centralized authentication? (I'm assuming DropBox can't use your user's from Azure AD, or vice versa?)



  • Is your plan to not have a LAN? Not sure how you use a public DNS for internal records (NAT'ed, non routable IPs) - I mean, of course you can put non routeable IPs in a public DNS server, that that really seems weird.



  • Are you referring to Route 53 Private DNS hosting to store the zone and reverse DNS zones? Or are you just referring to DNS resolution to resolve public internet services outside of your domain?

    If the latter, and in reference to no AD clients I am assuming one issue is the slowness with which DNS can resolve on insecure clients (non AD) for internet services?

    Just trying to understand the resiliency issue you are targeting by not using AD DNS...



  • @dashrender said in Back to Active Directory, Route 53 DNS:

    If your ERP didn't integrate with AD, what authentication would it use?

    Depending on how many people use the ERP I can see that being an issue. If it's manufacturing and every office employee uses it for documents, billing, etc and every shop employee uses it for time tracking and job tracking it could be a nuisance. Plus I doubt there's a way that automation tools can set usernames and passwords because I'm willing to bet this software doesn't have a RESTful API to work with.


  • Service Provider

    I agree with the idea of still using local DNS on the AD server(s) and then just having that copy up to Route 53. The only downside is that it would be really cumbersome to make DNS changes if the local AD was down. But would you want to make changes during that period anyway?



  • @scottalanmiller said in Back to Active Directory, Route 53 DNS:

    I agree with the idea of still using local DNS on the AD server(s) and then just having that copy up to Route 53. The only downside is that it would be really cumbersome to make DNS changes if the local AD was down. But would you want to make changes during that period anyway?

    You could have your orchestration tool do that for you as well. That way they are always in sync, but it's in sync from the orchestration tool instead of some other method.

    I'm assuming Salt uses dictionaries the same way Ansible does. For the one role I have I just add a DNS record like this:

    records:
      router: { type: A, last: 1, mac: }
      server-a: { type: A, last: 5, mac: "de:ad:be:ef:ca:fe" }
    

    The MAC doesn't have to be used but I can use the same dictionary for both reservations and DNS entries that way. Then just have your orchestration tool push the changes to both DNS on the AD server and Route 53.



  • @dashrender said in Back to Active Directory, Route 53 DNS:

    If your ERP didn't integrate with AD, what authentication would it use?

    what was the issue with DropBox and Azure AD? is your issue the lack of a centralized authentication? (I'm assuming DropBox can't use your user's from Azure AD, or vice versa?)

    We are using local ERP user, another set of credential to manage. That is one of the issues.

    DropBox becomes very pricey if you have a lot of data and a lot of users… spin up another Windows fileserver is essentially free for us (we have datacenter license). And… yes, of course DropBox cannot use AzureAD auth.



  • @dashrender said in Back to Active Directory, Route 53 DNS:

    Is your plan to not have a LAN? Not sure how you use a public DNS for internal records (NAT'ed, non routable IPs) - I mean, of course you can put non routeable IPs in a public DNS server, that that really seems weird.

    I try to be almost LANless (AzureAD, Dropbox, public DNS), but it does not work so well for our workflow. I see no issue with private IP on public DNS, there is zero valuable information in our IP/server names.



  • @bigbear said in Back to Active Directory, Route 53 DNS:

    Are you referring to Route 53 Private DNS hosting to store the zone and reverse DNS zones? Or are you just referring to DNS resolution to resolve public internet services outside of your domain?

    If the latter, and in reference to no AD clients I am assuming one issue is the slowness with which DNS can resolve on insecure clients (non AD) for internet services?

    Just trying to understand the resiliency issue you are targeting by not using AD DNS...

    I’m already using Route 53 to resolve internal address.



  • @stacksofplates said in Back to Active Directory, Route 53 DNS:

    @dashrender said in Back to Active Directory, Route 53 DNS:

    If your ERP didn't integrate with AD, what authentication would it use?

    Depending on how many people use the ERP I can see that being an issue. If it's manufacturing and every office employee uses it for documents, billing, etc and every shop employee uses it for time tracking and job tracking it could be a nuisance. Plus I doubt there's a way that automation tools can set usernames and passwords because I'm willing to bet this software doesn't have a RESTful API to work with.

    Exactly, we have many application that we can integrate with AD making our life easier.



  • @francesco-provino said in Back to Active Directory, Route 53 DNS:

    I see no issue with private IP on public DNS, there is zero valuable information in our IP/server names.

    Yeah typically you need to be on someone's local network. And if you are, you can get server names and IPs so easily just by scanning. There's really no need to block IPs and server names in screenshots and such. All you're doing is adding 30 seconds to an attackers work.



  • @scottalanmiller said in Back to Active Directory, Route 53 DNS:

    I agree with the idea of still using local DNS on the AD server(s) and then just having that copy up to Route 53. The only downside is that it would be really cumbersome to make DNS changes if the local AD was down. But would you want to make changes during that period anyway?

    This is a no-issue, our DNS config is almost static.



  • @francesco-provino said in Back to Active Directory, Route 53 DNS:

    @dashrender said in Back to Active Directory, Route 53 DNS:

    Is your plan to not have a LAN? Not sure how you use a public DNS for internal records (NAT'ed, non routable IPs) - I mean, of course you can put non routeable IPs in a public DNS server, that that really seems weird.

    I see no issue with private IP on public DNS, there is zero valuable information in our IP/server names.

    Ya I don’t see an issue either. The only thing that may ever happen is if someone is on a LAN with the same subnet as you and you also have the same record name as a public server. But that seems so out of the way that it’s not even worth considering.



  • I did think of one other issue that would need to be explicitly used in an attack. One of your workers takes a laptop somewhere and connects to public WiFi. They actually connect to a rogue network with the same subnet as your work subnet. Then they could create a few honeypot servers to try to grab any credentials that are sent automatically.

    But again this is such a crazy specific case where you have to be targeted with a huge effort behind it. And if they are specifically targeting you they will likely do something much much easier.



  • However I do see a big plus. If you’re using something like ZeroTier now all of your mobile devices can resolve DNS names, since you can’t control the phones DNS on cellular.



  • @stacksofplates said in Back to Active Directory, Route 53 DNS:

    However I do see a big plus. If you’re using something like ZeroTier now all of your mobile devices can resolve DNS names, since you can’t control the phones DNS on cellular.

    That’s exactly what we do now.


 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.