DNS setup for use with Windows

Setting up DNS using bind

© 2009, 2010, 2011 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. SRV Records
      2.
      1. Kerberos
        2.
      2. LDAP
        3.
      3. Active Directory support
        4.
    2. Dynamic Client Updates
      3.

SRV Records

Kerberos makes use of the SRV records in DNS to look up its services. To make switching machines easier (when e.g. replacing the KDC) we use CNAMEs to point to the servers in a functional name, however you can not use CNAMEs in SRV records, so we have to use canonical names there. For quick reference we give an overview of what an SRV record looks like, see RFC 2782 for more information:

_service._proto.name ttl IN SRV priority weight port target

_service
Defines the names as mentioned in the IANA port-numbers document prepended with a _
_proto
Defines the names as mentioned in the IANA service-names document prepended with a _
name
The normal DNS "domain" part, meaning a full or partial domain name, a single . or nothing ($ORIGIN is appended)
ttl
Time to live parameter
IN
Internet CLASS parameter
SRV
The SeRVice RR.
priority
A number between 0 and 65535 that indicates the priority. A lower number gives the target a higher priority.

weight
A number between 0 and 65535 used when there are two identical priorities. The number indicates the amount of times this host is answered from the total of questions. Example: If two host have the same priority and one host has a weight of 5 and the other of 3, it means that 5 out of 8 questions will be answered with the target that has the weight of 5.
port
The port number that the service is running on. Normaly this should be the port numbers as mentioned in the IANA port-numbers document.
target
The hostname that provides the service. Maybe a host name or a FQDN, can not be a CNAME.

Kerberos

The different SRV records defined for kerberos use are:

_kerberos._udp
The default port is 88 and is used to contact the KDC for almost everything.
_kerberos._tcp
Default port is 88, but the MIT KDC is per default not listening on the TCP port, so it is of no use to us (see kdc_tcp_ports in the kdc.conf file).
_kerberos-master._udp
Default port is 88 and should point to the KDC that sees password changes the first. If a user gets a 'wrong password' from e.g. a slave KDC, then this server will be contacted to verify it the password was really incorrect or that the slave was just not updated in time.
_kerberos-adm._tcp
The default port is 749 and should be used by the kadmin utilities, but our MIT version didn't support it, thus you need the admin_server setting in the krb5.conf file (see later).
_kpasswd._udp
The default is port 464 on the master KDC and is used when a user changes his or her password.
_kerberos-iv._udp
Only used for kerberos V.4, which we do not use.

$ORIGIN . 
$TTL 86400      ; 1 day 
@  IN SOA  ns1.example.com. hostmaster.example.com. ( 
                                2009022507 ; serial 
                                10800      ; refresh (3 hours) 
                                900        ; retry (15 minutes) 
                                604800     ; expire (1 week) 
                                86400      ; minimum (1 day) 
                                )

                       	NS      ns1.example.com. 
                       	A       192.168.1.1

$ORIGIN example.com. 
_kerberos              	TXT     "EXAMPLE.COM"
krb5                 	A       192.168.1.1
ns1				CNAME	   krb5
kerberos			CNAME	   krb5

$ORIGIN _tcp.krb5.example.com.
_kerberos-adm      	SRV     0 0 749 krb5.example.com.

$ORIGIN _udp.krb5.example.com. 
_kerberos               SRV     0 0 88 krb5.example.com. 
_kerberos-master        SRV     0 0 88 krb5.example.com. 
_kpasswd                SRV     0 0 464 krb5.example.com.

LDAP

A DNS service description for LDAP is very simple:

_ldap._tcp
The default port for LDAP is 389.

_ldap._tcp.example.com.    SRV 0 0 389 ldap.example.net.

Active Directory support

To support Active Directory in your bind DNS server you need a couple of extra entries. Below there is a little overview of what Active Directory expects, this overview only deals with the _ldap services but the same holds true for the other services.

.<DNSDomainName>
Resolves the DNS domain
_ldap._tcp
Locates the W2K domain controller.
.<SiteName>._sites.<DNSDomainName>
Resolves the site specific domain records (e.g. newyork._sites.forest.example.com).
_ldap._tcp
Locates the W2K domain controller for a site
_ldap._tcp.dc._msdcs.<DNSDomainName>
The DNS name configured for use with the Active Directory domain and any of its associated domain controllers (used for finding a DC in a particular domain).
_ldap._tcp.pdc._msdcs.<DNSDomainName>
Resolves to the PDC flexible single master object (FSMO) role holder of a mixed-mode domain.
_ldap._tcp.gc._msdcs.<DNSDomainName>
Resolves the Global Catalog (GC) server.
_ldap._tcp._sites.gc._msdcs.<DNSDomainName>
Resolves the site specific Global Catalog server.
_ldap._tcp.<DomainGUID>.domains._msdcs.<DNSDomainName>
Resolves to the domain controller in a domain, based on the domain controller's globally unique ID.

An example list of entries generated by Microsoft Windows 2003 when doing an Active Directory installation looks like this: 

_ldap._tcp.forest.example.com.                                    600 IN SRV 0 100 389  adf.forest.example.com.
_gc._tcp.forest.example.com.                                      600 IN SRV 0 100 3268 adf.forest.example.com.
_kerberos._udp.forest.example.com.                                600 IN SRV 0 100 88   adf.forest.example.com.
_kerberos._tcp.forest.example.com.                                600 IN SRV 0 100 88   adf.forest.example.com.
_kpasswd._tcp.forest.example.com.                                 600 IN SRV 0 100 464  adf.forest.example.com.
_kpasswd._udp.forest.example.com.                                 600 IN SRV 0 100 464  adf.forest.example.com.

_ldap._tcp.gc._msdcs.forest.example.com.                          600 IN SRV 0 100 3268 adf.forest.example.com.
_ldap._tcp.dc._msdcs.forest.example.com.                          600 IN SRV 0 100 389  adf.forest.example.com.
_kerberos._tcp.dc._msdcs.forest.example.com.                      600 IN SRV 0 100 88   adf.forest.example.com.

_ldap._tcp.pdc._msdcs.forest.example.com.                         600 IN SRV 0 100 389  adf.forest.example.com.
34356b88-8d9f-457b-87ae-dd660c028489._msdcs.forest.example.com.   600 IN CNAME          adf.forest.example.com.
_ldap._tcp.f3d8bf35-d00a-48fd-aaf9-c7d1999227f3.domains._msdcs.forest.example.com. 600 IN SRV 0 100 389 adf.forest.example.com.

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.forest.example.com. 600 IN SRV 0 100 389 adf.forest.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.forest.example.com. 600 IN SRV 0 100 88 adf.forest.example.com.

_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.forest.example.com. 600 IN SRV 0 100 3268 adf.forest.example.com.

_ldap._tcp.Default-First-Site-Name._sites.forest.example.com.     600 IN SRV 0 100 389  adf.forest.example.com.
_gc._tcp.Default-First-Site-Name._sites.forest.example.com.       600 IN SRV 0 100 3268 adf.forest.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.forest.example.com. 600 IN SRV 0 100 88   adf.forest.example.com.

To make sure that our AD server also has this zone file we allow AD to transfer this file so our named.conf has the following setup:

zone krb5.example.com {
        type master;
        file internal/com.example.krb5.zone;
        check-names ignore;
        allow-transfer {
            // ad server
            192.168.1.2;
        };

        allow-update {
            // test client
            192.168.1.3;
        };

        notify no;
};

You will note that we have an entry for a client to do updates, this is so that the client can put its IP address in the zone file, AD relies on the ability to resolve client host names to IP addresses, and since we use DHCP to supply IP addresses to our clients, we need a way to do automatic DNS updates (RFC2136). The reverse is not needed, at least not that we have found.

Dynamic Client Updates

It would be a lot of work to make sure your DNS is setup correctly with the above information. Lukily for us there are two ways to make life easier. The first one is to copy the \Windows\System32\Config\netlogon.dns file to your bind server and add the settings to DNS.

An even easier way is to make Active Directory do it automatically. Since we need dynamic DNS updates for the Windows clients anyway, this is the easiest route. Add to your named.conf the following section to your zone entry: 

allow-update {
	// Allow DNS updates from our network
	192.168.1.0/24;
	};
For security reasons this might not be the right solution, or you must trust all your employees and anybody that can connect a computer to your network. But it is beyond the scope of this document to handle all the security implications. Maybe I will add more documentation on this later on.

To test the setup use nsupdate: 

nsupdate 
> server ns1.example.com
> zone example.com
> update delete bofh011.example.com. A
> update add bofh011.example.com. 86400 A 192.168.1.15
> send
If this works and your AD server is in the same network, it will happily add its own DNS entries.