[Unbound-users] Unbound vs MS Resolver
davew at hireahit.com
Wed Jun 4 23:51:28 CEST 2014
On 2014-06-04 08:18, Joe Abley wrote:
> I don't see the logical jump, here.
> A DNS UPDATE client can identify the correct domain controller using the SOA MNAME. A recursive resolver can identify the correct domain controller for a zone by following a referral chain. Yes, some environments might have split DNS design decisions that turn out to make this tricky, but really that's more of a reflection of those design decisions than any downstream implementation decision.
It's not just that the DNS is split (which Microsoft doesn't even
support split zones within Active Directory enabled zones in a
traditional "split" format), but rather, that updates are done in a
multi-master scenario while sites may have replication intervals in the
period of minutes, hours, or days, and updates are best processed by the
local AD DNS servers (they are not forwarded upstream using the SOA
record or anything else)
In a small environment none of this matters, but in large, multi-site,
physically decentralized environments, you might really want local
clients doing updates to a local AD server so that their DNS records
appear immediately locally and that doesn't happen if you use the
traditional "Update the SOA MNAME and wait for the changes to wander
down to other servers"
Microsoft's DNS server is using a true multi-master, there's nothing
particularly special about the server listed as MNAME, literally any AD
DNS server can process updates locally and will ensure that changes are
replicated out to appropriate partners.
I'm NOT saying it's the only option -- Just that it's Microsoft's best
practice to use Microsoft DNS servers to service Microsoft Active
Directory joined servers and clients, and in my experience, staying
within Microsoft's best practices is usually wise unless you can
articulate a reason to make a difference choice. If you have a practical
reason to do something different, do it! I do a lot of non-standard
stuff in Windows all the time.
(This isn't even a sales point, Microsoft DNS server is a free component
that requires no additional licensing beyond the Active Directory
But at least in this case, I'm more interested in getting the benefits
of unbound (awesome resolver performance, DNSSEC validation,
pre-fetching, etc) without adding headache (using non-AD DNS for an
Active Directory environment), so using Windows DNS internally and
unbound for external resolution seems like an ideal configuration unless
there are downsides (such as performance)
More information about the Unbound-users