HomeBlogsjaklein.ncsu.edu's blog

ACSAD reverse lookup zones

Wed, 08/12/2009 - 15:53 — jaklein.ncsu.edu
Tagged:

So, in order to move forward on the DNS in .acsad.ncsu.edu, I think we need to do the following

  1. Turn off dynamic DNS on the Windows domain controllers/dns servers.
  2. From now on, register new hosts in a zone other than acsad.ncsu.edu -- say .oit.ncsu.edu If this is not possible for some reason, register the new host in QIP NCSU-Legacy (ns60/ns61) and the Windows machines manually.
  3. With no dynamic DNS, we can turn off the solaris "dig" scripts that mine Windows for host file/nis info, or point them to ns60/ns61.
  4. We need to populate the reverse lookup (PTR) zones in QIP (see list below).
  5. We need to get zone transfer rights on ns60 so we can read the data and compare it to what Windows thinks. I can use this info to generate a list of differences between QIP and Windows.
  6. We need to identify client workstations that need "inside" DNS, and set any clients that don't to use the standard campus DNS servers (not Legacy, but straight up NCSU)
  7. For the remaining hosts that do need "inside" DNS, when the list of differences is small enough, we switch (via script/gpo) to ns60/ns61 and turn off DNS on the domain controllers.
  8. We need to work with ComTech to populate the correct SRV records for ACSAD to function.
  9. We need to push with script or gpo to all acsad windows clients to point to the qip name servers, based on the results of step 6.
  10. We can then turn off the DNS services on the ACSAD domain controllers.

I haven't looked into the role of DHCP in ACSAD yet. We may need to address DHCP at the same time as DNS.

Looking at ACSAD3, the reverse lookup zones are:

  • 152.1.104.x Removed from DNS 9/11/2009
  • 172.27.130.x Removed from DNS 10/11/2009
  • 152.8.132.x
  • 152.1.148.x
  • 172.17.x.x
  • 152.1.194.x adt records removed
  • 152.1.195.x
  • 192.168.198.x
  • 192.168.199.xRemoved 11/11/2009
  • 172.27.2.x
  • 172.20.x.x
  • 192.168.202.x
  • 192.168.255.x Matches ns60 10/15/2009
  • 192.168.61.x Matches ns60 10/15/2009
  • 152.1.64.x
  • 192.168.64.x
  • 192.168.66.x

I'm pretty sure that many of these are bogus, either ilo cards or workstations that dynamically registered themselves in acsad.ncsu.edu and thus created an entire reverse lookup zone that isn't authoritative nor correct/complete.

I'm gonna work down the list and try to identify what should be considered acsad.ncsu.edu and what shouldn't be. I

How can we get dynamic DNS turned off? Just send it to the CAB, or are there other stakeholders?