4

In our organization, we have two separate groups which share network address space and a domain. A couple of slices of /24 are allocated to my group, while the rest is allocated to our internal IT team.

We do not wish to be able to manage DNS for their slice of the pie, but we need to be able to manage it for our slice.

The problem is that for political/historical reasons, which preceeded my tenure, we have set up a Linux based DNS server and maintained our own records and pointed all of our servers and equipment at this server. Meanwhile users and developers across the organization are pointed at the IT teams DNS server.

In order to make sure that everything works in all situations, we have to enter DNS records in our server and then put in tickets with our IT team to have records created in the Active Directory environment. This has come out of parity and is a management nightmare.

Furthermore, we have hundreds of servers and applications which use the shared domain.com and having to create a subdomain.domain.com and update hundreds of servers and applications is not preferred.

As such, is there a way to grant trust and permission to update records in domain.com for only a handful of /24s inside of a /16? Third party solutions that bolt onto Active Directory are acceptable.

James Shewey
  • 182
  • 14
  • 2
    This is pretty common problem, and the grief that comes from it is why [it's a recommended practice](http://serverfault.com/questions/76715/windows-active-directory-naming-best-practices) for AD to manage its own unique subdomain. Unfortunately no one ever wants to put in the work to separate it out after the mistake has been made. – Andrew B Mar 01 '15 at 11:32
  • Reading this again, your final paragraph is a little confusing: you went from `subdomain.domain.com` to `subdomain.com`. Did you mean `domain.com`? – Andrew B Mar 03 '15 at 16:51
  • Typically, you can create a DNZ zone like subdomain.domain.com and delegate access to that and then have a seperate DNS zone like domain.com. I want to only be able to do a subsection of domain.com. I do not want to do this by creating a subdomain.domain.com zone and then updating all of my clients. Does that make more sense? – James Shewey Mar 03 '15 at 18:08
  • My issue was more that you changed the name of the apex domain in your examples, from `domain.com` to `subdomain.com`. – Andrew B Mar 03 '15 at 19:40
  • Ah, I see it now. I fixed the question to reflect. Thanks. I'm also going to award the bounty here. – James Shewey Mar 09 '15 at 18:07

3 Answers3

2

You surely have already noticed that DNS does not care about the subnets when it comes to management. The typical management unit in a DNS infrastructure is a "zone" which would correspond to at least one domain. So if you wanted to delegate management tasks, you would delegate administration over a complete zone, thus at least the complete domain.

Windows AD DNS servers do offer some additional access control and delegation abilities for single record entries - i.e. you would be able to set up "modify" rights for a given user or group for every single record within a zone without delegating the entire zone management. But none of the delegation and ACL features do include something like a "subnet" as a management unit, if you need to reflect this in ACEs, you would need to fix them externally.

This being said, it probably is not as bad as it sounds as Windows DNS ACLs also do have the concept of the "creator" of a record along with the ability to delegate only creation of new records in a zone without the need for permissions to change other zone-specific data or other records. The "creator" becomes the owner of the record and implicitly gets the right to change its permissions, thus it indirectly gains "full control". Additionally, the ACE for "CREATOR-OWNER" to be inherited upon creation of a new record can be explicitly defined on the container, if desired (but the implicit right to change permissions cannot be revoked). So the basic project outline might look like this:

  • ask the AD DNS team for creation rights for new records in the zone for your group
  • ask the AD DNS team to delegate the modification rights for resource records belonging to your group
  • start creating and modifying resource records for your group in the AD DNS by yourself
  • propose the creation of a frequently-run management script which would check that records created by your group comply with the delegation policy (i.e. point to hosts in your domains)
  • re-configure your Linux DNS server to either simply forward queries to the AD DNS servers or to act as a secondary by pulling the zone's data off one of the AD DNS primaries (if the DNS zone is AD-integrated, all AD DNS servers will act as primaries)
the-wabbit
  • 40,319
  • 13
  • 105
  • 169
1

I may be mis-reading this, but it seems like a scheduled task to run once or twice a day would work.

  • Read in the DNS records
  • If the record IP address matches the criteria
  • examine the security ACL for the ACE of a security group that manages the address
  • Add the ACE if it does not exist.

One example of code of how to access the zone and perform updates is here:

http://www.adamtheautomator.com/fix-dynamic-dns-record-permissions-automagically/

That code is to fixup orphaned dynamic DNS records, but it should point you in the right direction.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
0

I can't speak to how Active Directory would be configured to allow you to remotely manage and automate the domain using nsupdate.

What I can tell you is that you can reduce the headache somewhat by using NS delegations to each other for the individual records, and never defining static A or CNAME records for data that your team does not manage.

Imagine you have the following in Active Directory:

example.com. SOA dc1.example.com. hostmaster.example.com. 2015022400 28800 7200 604800 300
     IN NS dc1.example.com.
     IN NS dc2.example.com.
     IN MX 10 mail.example.com.
www  IN NS ns1
ftp  IN NS ns1
mail IN  A 198.18.0.10

dc1  IN  A 198.18.0.150
ns1  IN  A 198.18.0.250
  • mail, ns1, and dc1 are statically defined records.
  • www and ftp have been delegated to ns1.example.com., which we'll say is an authoritative Linux DNS server.
  • Because the DC is typically acting in a mixed DNS server role (both recursive and authoritative), requests for www and ftp will trigger recursion and cause ns1.example.com to be consulted for the answer. This will succeed, provided that there is a firewall allowing traffic from the DCs to hit ns1.

This is still a pain: you're not escaping the need to define records on the remote server. What you are accomplishing is ownership of individual records. If the IP address for one of those records needs to change, this change does not have to be made on both sides of the fence. This will work, at least until someone wants to define sub.ftp.example.com on the DC. Since ftp has been delegated, sub.ftp has also been delegated and there is no way to manage it locally.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Not a bad idea, but still unfortunately not quite what I am looking for. I often need to create new records or rename an existing record. While this allows me to control the IP, that's about the only thing it would do. I would still need to update the record in 2 places for anything else. – James Shewey Mar 03 '15 at 20:21
  • 1
    Yeah, I understand. Still worth mentioning for those with similar problems who cruise in. But on that same note...the "real" answer is that a company with this problem has [massive technical debt](https://en.wikipedia.org/wiki/Technical_debt) which needs to be repaid. Solutions that avoid fixing the design issues only serve to make things more difficult to fix later when more complex problems arise from all the madness that people have been using to circumvent it. – Andrew B Mar 03 '15 at 20:26
  • Note that `nsupdate` by default would issue non-secured DNS update requests. As unauthenticated requests likely will be rejected by the destination servers, you would need to set up Kerberos for authentication and make `nsupdate` make use of it via GSS-TSIG (`-g` parameter) - see http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ for a usage example. – the-wabbit Mar 13 '15 at 21:38