Reply

DDNS design advice

New Member
Posts: 1
6796     0

We have a small company that is 99% a Microsoft environment and the decision was made to move to Infoblox for DDI.  We currently use Microsoft Active Directory integrated DNS, and have already moved DHCP and IPAM to the Infoblox appliance.  In Microsoft DNS we have always used the feature that only authenticated devices can perform a secure DDNS update.  My plan was to allow the Infoblox DHCP to perform DDNS updates as well as setup the two domain controllers to perform GSS-TSIG updates as well.  I can't for the life of me to get that to work correctly! 

 

How dangerous would it be to just restrict the DDNS to only the domain controllers and Infoblox DHCP server?  What about allowing all any device to make DDNS updates? (The Infoblox only servers internal domain clients, no guests).

What is the best practice for DDNS when running a Microsoft company fully from an Infoblox DDI?

Re: DDNS design advice

Moderator
Moderator
Posts: 36
6797     0

Hi there,

 

When using Infoblox DHCP to update External Domains, Microsoft DNS in your case, you would have to set up the “Configure DDNS” with the Forward and Reverse mapping zone details as well as the GSS-TSIG key. Please refer to the “Sending Updates for Zones on an External Name Server” section of the NIOS Administrator Guide.

 

Since your Microsoft DNS is set to accept Secure updates only, you would also have to configure GSS-TSIG in Infoblox DHCP Server, as the Infoblox DHCP server needs the GSS-TSIG keytab to have the DDNS Updates authenticated by Microsoft DNS server. You can refer to the “About GSS-TSIG” section of the NIOS Administrator Guide.

 

You can also go through the following community article with regards to DDNS GSS-TSIG Updates, it discusses GSS-TSIG Keytabs.

 

If you have done the above set up and are still unable to get the DDNS Updates through, perhaps you could share with us the Error message that you are receiving in the Syslog of Infoblox DHCP Server? You could also create a ticket with Infoblox Support to expedite resolution.

 

Ideally, you only need to allow either the DHCP Server to perform the updates or the Clients as there might be potential conflicts that could occur while both the Client and the DHCP Server tries to update the same record. As you are using Secure updates, it would be more convenient to just let the DHCP Server do the updates.

 

Regards.

Re: DDNS design advice

Authority
Posts: 23
6797     0

Hello All,

 

I have read with great interest, this post.I still have questions. In our case we are NOT using DHCP on the nios box.

We would like to use "Unauthenticated Dynamic DNS Updates" as mentioned in the 15 page manual. We do not have DDI. We can add ip addresses via an ACL, etc. We do not need to use TSIG keys.

 

We want to use the nios box for dns for our Windows PDC, and our Windows clients (can be servers or a Windows 10 work station). Will this work without changing the domain name? our domain for the NIOS is comlab.net.

This is also the domain name for our windows environment..The PDC, from my understanding, must have DNS installed and running (a default).

 

I have also seen where we can use the process called "delegation" - but may need to change the name of our windows domain to something like: cms.comlab.net.  Any suggestions will be appreciated.

 

Thanks,

Eholz1

 

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You

NIOS 8.6.3 – What’s New in DDI