In thinking about this - I mentioned adding additional domains to the search suffix list.

While this is doable for a few PCs, or if you are using DHCP, I was thinking -

For the primary things you'll be searching for by shortname from the 'other' domains, create cname records in the local domains pointing to the real host in the real domain.

Example

The DB server is DB1.fire.randomcity.com
A user in water.randomcity.com needs to access the DB server.
Create a cname in the water.randomcity.com DNS server called DB1 that points to DB1.fire.randomcity.com
This allows the user in the water domain to connect to 'DB1' and they will be pointed to the server via DNS over to the server in the fire domain. No change to the client's DNS search suffix list required.

This does assume that there is not a server called DB1 in the water domain.

@jaredbusch said in DNS manager for all domains:

@scottalanmiller said in DNS manager for all domains:

@dashrender said in DNS manager for all domains:

Cloudflare will read the current DNS server and build all the records in itself.

That only works for some records.

Most though.

Most of ones like www, ftp and mx records. But anything that you make that is unusual or unique in any way, I've never had found. I just did it the other day for a company and it found like two of twenty, and it was the two you'd be almost certain would be there.

@networknerd said in When Someone Points Their DNS at Your Site:

@scottalanmiller said in When Someone Points Their DNS at Your Site:

Could still be weird. But could be benign, too.

Or it could be the NSA.

All your websites are belong to NSA.

@NerdyDad said in nslookup - can it use WINS info:

@scottalanmiller Just out of curiosity, is there an nslookup alternative command for WINS? If so, what is it?

nblookup.exe

I'd still use DuckDNS.org
0_1492522125211_duckdns.png

@StrongBad said in DNS record will help prevent unauthorized SSL certificates:

Not a bad idea, I guess. There is some security concern there. I would wonder how often this is really an issue. Is this common? Or just proactive?

I'm thinking a bit of both.

Split DNS is the way to go if you have the .local domain naming. Otherwise having your organization domain as org.domain.com might be better as to not use your main domain.

Edgerouters can now handle custom dynamic dns providers without the need of the script - here is the guide with Cloudflare as the example: https://help.ubnt.com/hc/en-us/articles/204976324

Use the clear-dnsservecache cmdlet

https://technet.microsoft.com/en-us/itpro/powershell/windows/dns-server/clear-dnsservercache

@wirestyle22 said in Need People to Check a Website for Me:

The site looks great

Thanks. Thank @Dominica who is running the web design stuff now.

@Dashrender said in Windows DNS best practice:

@wirestyle22 said in Windows DNS best practice:

@Mike-Davis He is actually asking this in regards to my network. We have one root domain with two subdomains, all on their own subnets. How mine differs from the OP is both the primary and secondary DNS are in the main building attached to the root domain. We only use static IP's. There is no DHCP here. We don not even use wireless, although that will change in the near future.

What Wire didn't mention is that all servers and all clients in the entire organization use those two DNS servers at headquarters. That seems very odd to me.

FYI - Wire just came on with that client, so he didn't set this up.

This is correct

That moment when you have spent 3 hours waiting (5 min here and there) and then realize you are in the WRONG DNS Management Page....

smh

@jrc said in OpenVPN and DNS:

Do you know if you can configure OpenVPN to work as a DNS relay (local relayed to remote)?

What would be the local component, in that case?

@scottalanmiller we have an ERP system that MOST of the companies work is done in.

They could still use office and such, but without the link the ERP stuff is useless. Production could continue on paper, it would just slow down

Email isnt local either, we use cloud based email which is stemmed from the datacenter.

That is a good point thank you for mentioning that

@stacksofplates said in Quick DNS Question:

I can't believe I didn't do this a while back. No more chroots to run real applications. I also have my home folder on a 128GB USB 3 flash drive that's pretty tiny. It's a pretty nice and cheap setup.

Unless you are an actual end users, I can't imagine wanting to use ChromeOS instead of a "real" OS.

@scottalanmiller said in Using Pertino with Active Directory:

Originally posted on my Windows Administration blog in 2013 here: http://web.archive.org/web/20130929034913/http://www.scottalanmiller.com/windows/2013/04/05/using-pertino-with-active-directory/

This information is very out of date concerning Pertino itself. But the theory on how this works remains relevant.

IMO, you should put the 'old post' notice at the top of these.

DDoS depends on public addresses acting as a clients pounding your DNS server with thousands of recursive queries at once. If your DNS server isn't public, then it isn't a open resolver, and a client on the internet can't query it directly.

In our case, we have a local DNS server, available to the internet, as a backup to our ISP-hosted DNS. This server is typically vulnerable. But it's set with a higher cost so it won't be used unless ISP goes down.

So as is with most things. I actually did set an address for Bind in named.conf. I just needed to add the ip address to listen on and add the zone for recursion and it's working now. Thanks!

In general, avoid the www. Sockets seem to fail when using it.

@scottalanmiller said:

@PSX_Defector said:

If you only have Samba controllers, hell it might work.

that's the normal way to use it. Mixing it in would just be weird. Lots of companies run on just it, it works great from what I hear. I've never heard of a shop that had issues after moving to it. It's full AD with all the bells and whistles. You can even manage it from Windows and GPOs work great too.

I saw somewhere online someone set up an environment that way and used RSAT from a Windows 7 computer to do GPO and users/computers.