[Unbound-users] Unbound vs MS Resolver

Dave Warren davew at hireahit.com
Tue Jun 3 17:57:37 UTC 2014

On 2014-06-03 05:49, Carsten Strotmann wrote:
> Dave Warren writes:
>> Obviously it's not a suitable replacement for Active Directory driven
>> DNS.
> why not? It is best practice to separate DNS resolver (caching DNS
> server like Unbound) and authoritative Server. While WinDNS can be used
> in both functions, it makes a good resilient and manageable DNS design
> to separate the DNS server functions on dedicated machines.

In general, I agree that it makes sense to split authoritative and 
resolver roles. However, in the case of Windows and Active Directory, 
Active Directory is built under the assumption that your DNS servers 
accept AD authenticated dynamic updates, both from AD itself and from 
clients, so it's best practice to only specify Microsoft DNS servers for 
Active Directory domain controllers, member servers and workstations 
when possible.

While you can do it via other methods (setting up AD's entries manually 
or forwarding the appropriate zones), it takes a lot of head-banging to 
get everything working and if you mess it up, the effects are subtle and 
intermittent since parts of Windows will fall back on broadcasts and 
other unreliable methods, and therefore will sometimes work even with 
DNS misconfigured.

Also keep in mind that Microsoft's authoritative DNS is multi-master and 
site-aware (so a machine registered in the current site will be 
immediately available in DNS to the current site, but might take time to 
propagate to other physical sites in the same DNS zone, balancing the 
need for quick updates vs keeping the number of updates between sites 

My theory is that each site (physical location as well as Active 
Directory site/subnet) would have one unbound server that performs 
internet resolution, with multiple AD servers that forward to the 
unbound server.

> Unbound will nicely work as an secure DNSSEC validating resolver,
> resolving Internet names and also (possible) local Active Directory
> names that are stored on WinDNS AD integrated servers.

Microsoft DNS's DNSSEC support is limited at best, and it has no 
pre-fetch support at all, so I'd like to use unbound for primary DNS 
resolution. However, hosting Active Directory on anything but 
Microsoft's DNS is outside of best practices for Active Directory.

>> However, even here, there's an interesting performance question: Is
>> it worth installing unbound and forwarding Microsoft DNS to unbound, or is it better to let Microsoft DNS perform it's own resolution?
> Forwarding is (today) probably almost always slower than direct name
> resolution (and more complicated and brittle), unless you are connected
> to the Internet with a slow link. I recommend to not use forwarding
> unless there are very special conditions.
> Unbound as a direct resolver might be faster than having WinDNS as a
> direct resolver.

It might. If so, I'd like to know how much faster or slower the servers 
are on their own, but also how much overhead is involved if Microsoft's 
DNS sits in the middle to see if complying with best practices is 
appropriate, or if there's a technical justification to go with a more 
complicated setup.

I have the impression that Microsoft DNS isn't particularly speedy, but 
I have not actually attempted to benchmark it since Windows 2003 vs an 
appropriate era BIND. At the time, BIND was faster, but only slightly, 
but since this design effectively allowed for a shared cache, the 
real-world performance was significantly improved.

My guess is that having several Microsoft DNS servers forward to a 
single unbound server which does resolution of all non-local zones will 
ultimately be slightly faster than having multiple Microsoft DNS servers 
do the work themselves, but even if it's ultimately slightly slower, 
gaining the benefits of Unbound's DNSSEC validation probably make it 
worthwhile. But if it's a lot slower, I would definitely be open to 
other configurations.

Dave Warren

More information about the Unbound-users mailing list