[Samba] Samba AD with bind and question about "split dns"/view

Thu Jan 4 12:37:43 UTC 2024

Il 04/01/2024 12:26, Rowland Penny via samba ha scritto:
> On Thu, 4 Jan 2024 11:50:19 +0100
> Fabio Fantoni via samba <samba at lists.samba.org> wrote:
>
>> Hi, recently from Windows clients I have seen anomalous behavior in
>> DNS resolution if there are multiple IP addresses, especially in DCs,
>> referring to different subnets. More specifically the different
>> subnets are mesh VPN networks such as zerotier and netbird.
>>
>> Trying to make only the IPs of the corresponding subnet appear as a
>> result based on where the request comes from, for example if the
>> request comes from the LAN (192.168.1.x) reply with the IP of that
>> subnet and if it comes from zerotier (10.13.100.x) reply with ip of
>> this other subnet, I found "split dns" with use of "view" in bind.
>>
>> Looking at the use of view in Bind it seems that it can be done but
>> using different zones for view, I don't understand if is possible use
>> it with Bind on samba AD and if you can manage to have any IPs of new
>> members who join go to the correct zone and also be able to have the
>> dynamic update still working.
>>
>> Can someone please tell me if is possible doing this with samba AD
>> and DNS management with Bind?
>>
>>
> The IP isn't the problem, it sounds like you didn't use a subdomain of
> your registered dns domain for your AD domain. For example, if your
> registered dns domain is 'example.com', you should have used something
> like 'ad.example.com' for your AD domain.
>
> I am unsure if Samba can do what you require, Microsoft didn't get the
> ability to use split-dns until version 2016 and Samba hasn't got that
> far yet.
>
> Rowland
>
Thanks for reply.

The DNS domains used in AD domain are almost all .local, therefore not 
registered domain dns. I know that .local is not good to use and 
unfortunately they were created that way many years ago.

Doing some tests, however, I fear it would not work in the case of 
"switching" requests via VPN networks if it were not reachable through 
the LAN, in the case of requests to the domain controller remotely 
(using only mesh VPNs) or in the case of the domain controller or other 
servers that use it were booted into disaster recovery connected only 
via the internet and mesh networks.

As I had already seen in a few days of testing months ago it is 
difficult to reach a solution that works well for this case and I had 
also tried with Windows domain controller.

It seemed that he used the LAN IP based on the order, however it was not 
always possible to get him to use the correct IP with other sources 
other than the LAN but at least basically without modifications he used 
the LAN IP.

Even though I couldn't reach my employer's goal I kept the mesh networks 
configured on the domain controllers and added more later.

Unfortunately recently I've been experiencing strange problems on 
Windows clients which seem to randomly use the different IPs of the 
domain controllers causing unexpected events, I haven't yet understood 
why this happens.

I was trying to see if with the Samba domain controllers and in 
particular with Bind it was possible to do something better than with 
Windows but even if I found some possibilities with some manual 
configurations using Bind I couldn't understand how to exploit them (if 
possible) in Samba AD+bind.

I guess I will have to remove mesh networks (leaving only LAN) on all 
domain controllers, both windows and linux, to avoid problems.

-- 
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com