Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis



Need help designing GSS-TSIG for Active Directory

Posts: 5
5510     0

I see the way the Infoblox documentation is written it looks like, in order to use GSS-TSIG, either DNS or DHCP has to be controlled by either a Microsoft server or a DNS/DHCP domain member server. Am I reading this correctly? Would I have to join my Iblox box to the AD domain to use this functionality or is just having an AD integrated zone enough to do it?


Currently all our DDI is handled by Infoblox and we're migrating our systems from Novell to AD. My task is to make sure existing hosts, once they join the domain, have proper DNS records in our AD zone. The Zone is AD integrated and our tests have run well but we're concerned a malicious individual could hijack a DNS record simply by renaming the host they're on.


Our environment has thousands of client machines on hundreds of networks.  Currently our internal networks are automatically appending the host name to .wks.(our business).(our root) by virtue of the DDNS Domain Name functionality at the network level.


What I need to do is make them go to the AD domain .(our business).local without hosing up the existing DNS records. 


Any suggestions would be greatly appreciatd.






Re: Need help designing GSS-TSIG for Active Directory

Posts: 250
5511     0

Hi, you've touched on quite a few technically complex areas in your post so it may be difficult to give you the exact answers you need, but here are my own, personal, thoughts....


1) I seriously would consider not implementing GSS-TSIG, you will save yourself a whole world of pain. You have to ask yourself what will you actually achieve by implementing GSS-TSIG? You are basically allowing any AD authenticated device to dynamically update DNS, this includes client PC's. You say you"ve got thousands of clients so you are allowing all those that are joined to your AD domain to update DNS.


Now I don't know about you, but I don't like letting client PC's to update DNS, so I implement an allow-update named ACL that only allows DHCP servers, AD Domain Controllers, and selected limited other application servers to update DNS. So if you implement GSS-TSIG, you still have to implement ACL's, so you have to ask that if you are going to implement an ACL anyway, what extra benefits does GSS-TSIG give you? Not a lot in my opinion. In a Microsoft DNS server you get the benefits of RR specific security ACL's, but Infoblox doesn't support this (it uses its own mechanism which is not dependent upon GSS-TSIG).


2) With your other question about using different domain names, I did something similar about 10 years ago now, so my memory is a bit rusty, but it involved option 81. It was actually with a different product but what we were able to do was tell the DHCP server to completely ignore 81, the DHCP server would then register the client in the domain referenced by the ddns-domainname option and the client would seperately register it's A record into the AD domain (the primary DNS suffix), the AD domain was different to the ddns-domainname option, so we basically had the client PC registered in two different domains. If you can get Infoblox to do something similar then you may be onto something, I guess you will need to have a play in the lab.



Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Need help designing GSS-TSIG for Active Directory

Posts: 16
5511     0

Hi Paul,


If I want to add my Infoblox DHCP server to Microsoft's DnsUpdateProxy(equivalent to allow-update ACL in BIND) group(I believe that is what you meant by ACL). How would I go about acheiving it at Microsoft end?


Any help would be greatly appreciated.






Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton