Secondary DNS AD Question

[opsin]

Going to do my first Directory Connector install over the weekend (maybe next). I believe I have done my homework.

Untangle External Primary DNS will point to internal AD server (which does DHCP and DNS).

The AD server points to itself as primary DNS and then has forwarders to the clients ISP primary and secondary.

Here is the question (unless the above is incorrect, if it is, then I suppose a little clarification on that would be helpful too):
I should be leaving the secondary DNS of the Untangle External blank?
(they have static IP's from the ISP)

Whoops, one last extra question (ya, I know it was a DNS thread):
About 45 users on this network, I'm guessing I should implement the AD Logon Script provided with Untangle if I want reporting, policy manager, et al to work correctly?

[sky-knight]

I generally have Untangle use the ISP's DNS servers. Untangle doesn't require the use of DNS to locate a domain controller, as the Directory Connector module asks you for a server, providing an IP address in that field neatly removes any DNS requirement to attach to the DC.

Having it configured the way you have it works as well, it simply means that if your DC fails Untangle can't get updates nor use the DNS based filters in the Web Filter and the new Virus Blocker.

The AD Login script is a way to populate the directory connector's IP address to Username lookup table. This function can also be performed by the captive portal. It is only required if you want to use AD user name or group membership for policies.

[opsin]

Yes, the way you described is the way I thought it would work, but the research I did suggested otherwise.

So, on the DC primary of course stays as DC ip. Then secondary as untangle or do you use forwarders to untangle and / or the ISP? And do you give DHCP clients untangle as secondary in case of DC failure even though it isn't doing DNS it would forward on because of its primary and secondary?

[sky-knight]

In the immortal words of Egon...

DON'T CROSS THE STREAMS!

It doesn't matter as long as all DNS paths are nice an linear. You don't want to make a loop by telling UT to ask your DC, and then have the DC forward to Untangle.

[opsin]

Ha, yes, that would be an obvious fail.

Adding forwarders isn't really a pain it is just easy to forget about. Like when an ISP changes the clients DNS and you're pulling your hair out for an hour trying to figure out why you can't resolve domain names. If they are in Untangle you would check there first anyway. Yep, this is the way I'll be going.

Thank you for the clarification.

[jcoehoorn]

One thing I found helpful is that if you use the ISP DNS for your untangle box, you may need to use the IP address rather than hostname of your domain controller.

[sky-knight]

Quote:

Originally Posted by opsin

Ha, yes, that would be an obvious fail.

Adding forwarders isn't really a pain it is just easy to forget about. Like when an ISP changes the clients DNS and you're pulling your hair out for an hour trying to figure out why you can't resolve domain names. If they are in Untangle you would check there first anyway. Yep, this is the way I'll be going.

Thank you for the clarification.

That's why I use ISP DNS, and I have the AD servers forward to Untangle.

When the ISP changes stuff, I have one place to look, the Internet connected device.

[opsin]

So really in this case you wouldn't even necesarily need a forwarder on the AD machine pointing to untangle. The default gateway (untangle) would do it for you. Propably a bit faster and less overhead if I add the forwarder. Thoughts?

[sky-knight]

No, but forwarding AD's supporting DNS to the Untangle means AD is using Untangle to cache DNS queries.

This on the surface isn't much of an advantage, but it does mean two things that are important to me.

1.) DNS queries aren't traversing Untangle to cause issues (from time to time this pops up and gives headaches)
2.) If an ISP renumbers, or I change ISPs, my AD isn't supported by anything ISP centric and the only device on the network with ISP information is my edge Untangle router itself.

I'm lazy, I like changing stuff in one place and not remembering things.

[opsin]

Wait, your first sentence confused me a bit.

Are you saying to leave DNS on the untangle box on as well as on the AD machine (which is the DC in this case)?

Or leave DNS off on untangle like I had planned, with just the primary and secondary on the untangle box pointing to the ISP?