Maintained by: NLnet Labs

[Unbound-users] Unbound vs MS Resolver

Dave Warren
Wed Jun 4 23:51:28 CEST 2014

On 2014-06-04 08:18, Joe Abley wrote:
> I don't see the logical jump, here.
> A DNS UPDATE client can identify the correct domain controller using the SOA MNAME. A recursive resolver can identify the correct domain controller for a zone by following a referral chain. Yes, some environments might have split DNS design decisions that turn out to make this tricky, but really that's more of a reflection of those design decisions than any downstream implementation decision.

It's not just that the DNS is split (which Microsoft doesn't even 
support split zones within Active Directory enabled zones in a 
traditional "split" format), but rather, that updates are done in a 
multi-master scenario while sites may have replication intervals in the 
period of minutes, hours, or days, and updates are best processed by the 
local AD DNS servers (they are not forwarded upstream using the SOA 
record or anything else)

In a small environment none of this matters, but in large, multi-site, 
physically decentralized environments, you might really want local 
clients doing updates to a local AD server so that their DNS records 
appear immediately locally and that doesn't happen if you use the 
traditional "Update the SOA MNAME and wait for the changes to wander 
down to other servers"

Microsoft's DNS server is using a true multi-master, there's nothing 
particularly special about the server listed as MNAME, literally any AD 
DNS server can process updates locally and will ensure that changes are 
replicated out to appropriate partners.

I'm NOT saying it's the only option -- Just that it's Microsoft's best 
practice to use Microsoft DNS servers to service Microsoft Active 
Directory joined servers and clients, and in my experience, staying 
within Microsoft's best practices is usually wise unless you can 
articulate a reason to make a difference choice. If you have a practical 
reason to do something different, do it! I do a lot of non-standard 
stuff in Windows all the time.

(This isn't even a sales point, Microsoft DNS server is a free component 
that requires no additional licensing beyond the Active Directory 
environment itself.)

But at least in this case, I'm more interested in getting the benefits 
of unbound (awesome resolver performance, DNSSEC validation, 
pre-fetching, etc) without adding headache (using non-AD DNS for an 
Active Directory environment), so using Windows DNS internally and 
unbound for external resolution seems like an ideal configuration unless 
there are downsides (such as performance)

Dave Warren