Active Directory Configuration

Scope of this document

The purpose and scope of this document is limited to a network environment where Active Directory is integral to the network, but DNSthingy is running in standalone or gateway mode.

Summary of Best Settings

DHCP Server: Active Directory
DHCP Options: Gateway: DNSthingy host
DNS: DNSthingy host(s)
Other options: as required by environment
Rainbow list: your internal domain.local
Rainbow list redirected to: Active Directory
Rainbow list turned on: All Rulesets (including Unfiltered ones)

Example configuration:

Company Internet domain: yourcompany.com
Company internal domain: yourinternaldomain.local
IPv4 subnet: 10.20.30.0/0 (10.20.30.0/255.255.255.0)
DNSthingy LAN IP: 10.20.30.1
Active Directory Server IP: 10.20.30.10
DHCP Scope: 10.20.30.100-199
DHCP Option of Gateway: 10.20.30.1
DHCP Option of DNS Server(s): 10.20.30.1 (be sure not to specify 10.20.30.10 as secondary)
Rainbow list of “Internal domains”: yourinternaldomain.com

30.20.10.in-addr.arpa

Rainbow list re-directed to: 10.20.30.10
DHCP running on DNSthingy host: NO
DHCP running on Active Directory Server: YES

Configuration Details

This is what a Rainbow list looks like on your DNSthingy.com/dashboard -> Manage Rules -> My Lists

Rule should be turned on for all Rulesets.

Windows 2012 DHCP Server configuration

Windows 2012 DNS Server configuration for yourinternaldomain.local and Reverse DNS

Redundancy Recommendation

When devices have primary and secondary DNS servers, unlike the common perception, the secondary is not a backup DNS server per se.  Instead, DNS clients typically issue the same query to all DNS servers received via DHCP at the same time.  For this reason, you do not want a primary DNS server of DNSthingy host and a secondary of AD.

Instead, to achieve redundancy and business continuity for a DNSthingy environment, you want to have two instances running simultaneously with the same configuration.  It’s worth pointing out that the second DNSthingy instance could be in private server/standalone mode if the first DNSthingy instance is in gateway mode.

Also in configuration of multiple AD controllers, the DNS settings on the AD servers themselves should be as follows:

SERVER DNS settings on IP configuration
ADC1 Self (ADC1), ADC2
ADC2 Self (ADC2), ADC1

For example, if AD1 is a host at 10.20.30.10 and ADC2 is 10.20.30.11, the settings would be as follows:

SERVER DNS Settings
ADC1 10.20.30.10, 10.20.30.11
ADC2 10.20.30.11, 10.20.30.10

At the time of this writing, this can be achieved via support@dnsthingy.com to assist multiple BoxIDs at the same location.  In the future, this process will be automated and part of the UI.

Benefits of the above suggested configuration:

The advantages of this configuration over having devices all make DNS queries directly to AD are numerous:

  • Offloads DNS load from AD to the gateway for queries that AD would be forwarding upstream anyway.
  • Allows DNSthingy per-device filtering to work.  (When devices go to AD first for DNS answers, DNSthingy is unaware of the query’s origin, so per-device filtering couldn’t work in an AD-first scenario)
  • All AD and PTR record functionality is maintained and DHCP/DNS on AD is optimized, requiring answers only for itself.
  • Allows you to provide additional security for AD servers by building a “Microsoft Essentials” whitelist only, which allows it to obtain Windows updates, but otherwise makes use of the fact that it’s on a whitelist from an Internet access perspective.