Maintained by: NLnet Labs

[Unbound-users] Unbound vs MS Resolver

Joe Abley
Wed Jun 4 17:18:15 CEST 2014

On 3 Jun 2014, at 13:57, Dave Warren <davew at> wrote:

> On 2014-06-03 05:49, Carsten Strotmann wrote:
>> Dave Warren writes:
>>> Obviously it's not a suitable replacement for Active Directory driven
>>> DNS.
>> why not? It is best practice to separate DNS resolver (caching DNS
>> server like Unbound) and authoritative Server. While WinDNS can be used
>> in both functions, it makes a good resilient and manageable DNS design
>> to separate the DNS server functions on dedicated machines.
> In general, I agree that it makes sense to split authoritative and resolver roles. However, in the case of Windows and Active Directory, Active Directory is built under the assumption that your DNS servers accept AD authenticated dynamic updates, both from AD itself and from clients, so it's best practice to only specify Microsoft DNS servers for Active Directory domain controllers, member servers and workstations when possible.

I don't see the logical jump, here.

A DNS UPDATE client can identify the correct domain controller using the SOA MNAME. A recursive resolver can identify the correct domain controller for a zone by following a referral chain. Yes, some environments might have split DNS design decisions that turn out to make this tricky, but really that's more of a reflection of those design decisions than any downstream implementation decision.

There is surely no architectural requirement for the recursive resolver used by any particular stub resolver to run any particular software. "Only specify Microsoft DNS servers" (in the context of resolvers) might make good marketing copy if you're in the business of selling Microsoft DNS servers, but it doesn't sound like it's grounded in logic.