Windows AD DNS Server Per NIC Responses with ZeroTier
-
@dafyre said:
You know as well as I do that a Lab environment needs to be isolated from the network, and it some shops, the lab network doesn't even have internet access. I'd like to have my lab network connected to a multihomed DNS server simply because I can. I want to know if the tech can do what I want it to do. No other reason is necessary.
That's fine. If it is a lab you can obviously do whatever you want to do.
For isolation, though, just to be clear and for anyone who reads this and gets the wrong idea from the statement made above, dual homing has always been avoided for security reasons. So if the goal is to isolate a lab from product, or whatever, that is why you avoid dual homing and use a service network. Because the dual homing exposes the product to the lab more, rather than less, than a service network.
I just don't want others reading along and not realizing that this is a lab for a lab's sake and thinking that there is a standard product network design pattern here.
-
@dafyre said:
You know as well as I do that a Lab environment needs to be isolated from the network.... can. I want to know if the tech can do what I want it to do. No other reason is necessary.
This is the bit that I was concerned about. Lacking the lab isolation that I was suggesting. I realize not everyone needs their lab fully isolated, just seems simpler since it would be safer, easier and fix the issue that this thread was about all in one step. I'm saying that a fully isolated lab is easier.
-
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
-
@Dashrender said:
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
No, not in that way. AD would be extended by LDAP and Kerberos. DNS is just a lookup service. Although this would theoretically expose information about AD, not very much. For full separation you would go with separate DNS in each place. But sharing DNS is pretty trivial as exposure goes.
-
@scottalanmiller said:
@Dashrender said:
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
No, not in that way. AD would be extended by LDAP and Kerberos. DNS is just a lookup service. Although this would theoretically expose information about AD, not very much. For full separation you would go with separate DNS in each place. But sharing DNS is pretty trivial as exposure goes.
if the lab machines aren't part of AD, how are they adding entries to DNS? This is all assuming a Windows DNS.
-
@Dashrender said:
if the lab machines aren't part of AD, how are they adding entries to DNS? This is all assuming a Windows DNS.
I think that I missed that they were adding their own entries. You can add things manually to DNS.
-
If you use Windows for DHCP, Linux can update DNS records that way without being part of AD:
http://www.virtxpert.com/allow-linux-to-register-records-with-windows-dns-and-dhcp/
-
I mention Linux here because it is the most extreme case. If Linux can do it, Windows can too.
-
Chances are if Linux can do it, it probably does it better than Windows, lol.
-
@dafyre said:
Chances are if Linux can do it, it probably does it better than Windows, lol.
And even moreso when virtualized.
-
@dafyre said:
Chances are if Linux can do it, it probably does it better than Windows, lol.
I would second that.