I have not yet had a chance to try out the most recent beta of longhorn, but I have the following question/request that I am sure pretty much every administrator in the world using Windows Server has: Will longhorn's DNS server no longer be open?ie will longhorn's DNS server support something like "views" in BIND? If not, then why not?

>> Will longhorn's DNS server no longer be open?When you say "open" what do you mean? If you are asking if Windows Server "Longhorn" DNS will be based on Internet standards, the answer is yes. >> will longhorn's DNS server support something like "views" in BIND?This will not be a feature in Longhorn Server DNS. Currently there are no plans to support a "Split-brain DNS" where a single DNS server is responding with different data according the origin of the query. Do you feel this is an important feature? Also, are you currently implementing Views with BIND? >> If not, then why not?In our Longhorn Serverplanning we did not find a lot customer demand for this feature. Our suggested best practicewhen customers need to have two different sets of data for the same zone, is to setup two different zones for the same domain on two different DNS Servers. The zones are separated and designated to serve either an internal or an external network. Internal DNS queries are answered using the zone data on the internal DNS Server, while external DNS queries are served using a different DNS server. The separation creates a more secure environment by not exposing internal DNS Servers to the external network (Internet). You find more on this topic at the following TechNet site:http://technet2.microsoft.com/WindowsServer/en/library/7f6df44c-06c3-4b92-ba32-63d895a7924b1033.mspx?mfr=true

Yes, I believe this is a very important feature. From other user groups I belong to, as well, I know that many administrators would like this feature. I imagine one of the reasons it ISN'T asked for as much is because we all DO run a BIND server for just this reason.If it was all in the MS DNS server, we'd be able to get rid of BIND all together. Since the goal seams to be consolidation ("Do more with less"), being able to run one DNS service versus being forced to run multiple DNS services would seem to be something of a priority. Also, the fact that recursion can't be disabled on an inerface basis right now really bites. We have DNS servers sitting at our edge which are visible to the internet because they host our public zones. Since these servers are in a perfect position for it, they are also used by our internal network as their DNS servers for the internet.However, since recursion is applied across all interfaces on the DNS server, this opens the system up to DOS attacks on the DNS service.That's what I was referring to by it being "open," and it is a serious problem.

It's not so much that we're worried about security of our internal zones. That's easily attainable by keeping the private zone on a private DNS server. However, the current DNS server in Server 2k3 is terrible on the edge as a chaching server because of the fact that it will answer recursive queries on all interfaces without exception.

>> If not, then why not?In our Longhorn Server planning we did not find a lot customer demand for this feature. I'm suprised that you said this. You only need to visit the Newsgroups to see the numerous "split-brain"-related issues that come up from numerous AD admins. This is indeed a very popular request, and the usual "fix" is not very practical or palatable. Just ask your ISA server dev/product team. === Edited by Deji Akomolafe @ 17 Oct 2006 7:00 PM UTC===UPDATE: I just found this - http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=829924&SiteID=17 Please don't assume that this is an anomalous request/issue. It is a very common one. Deji

Good to see someone else speak up on this. It really is a biggie. It's one of those things *nix admins like to hold over us Windows admins' heads as a "our system is better than your system" argument. Just go to any of the big web-based DNS tools and every single one of them comments on the Windows Server DNS service being sub-par, primarily because of this issue. I recommend taking a very serious second look at this.

It has taken Microsoft a while to finally develop an OS which was oriented more towards a *nixphilosophy (ieA server needs to be simple, low maintanance, containonly the services needed, the services need to be robust, secure and they musn't use much memory). If Microsoft were totake a look at the current dns server service than I'm sure there are a few aspects which can be improved. Security wise the microsoft dns service is lacking, views musn't be considered a featurebut a necessityespeciallyfor those that service the internet as well as a variarty of networks (intranet, & various dmz networks which are not allowed to see each other, we can't all afford a dns server for each separate network). Secondly I think the secure dns zones that are contained in AD can be improved a little. The current scavenging featurecould be improved, I find it difficult to keep dns zones up to date with current data. At the moment I don't see much difference between a secure and a non secure zone, there are loop holes which enable non-authorized clients to have their dns records registered in anycase. Betterto do a few things well than introduce a lot of new featureswhich will take time tosought out. And yes where I work at the moment we use three BIND servers to cater for what is lacking in Microsofts dns server service.

simple dns plus runs on windows 2003 and allows recursion only for LAN clients http://www.simpledns.com/

I totally agree with this! I deal with so many different realms (DMZ, EDGE, INTERNAL) and compound this by multiple domains across the globe. To not support split-brain is really a bummer. We may consider switching to a BIND9 implementation simply for this feature. It allows us to do things like provide locale base web site access so that we do not have to buy expensive content switches etc. Microsoft default answer of just put up more DNS infrastructure is really poor. Sounds like a weak excuse to purchase more servers and operating systems which is something we working hard at reducing. I think they need to relook at this decision!