[Samba] Samba AD with bind and question about "split dns"/view
Fabio Fantoni
fabio.fantoni at m2r.biz
Thu Jan 4 12:37:43 UTC 2024
Il 04/01/2024 12:26, Rowland Penny via samba ha scritto:
> On Thu, 4 Jan 2024 11:50:19 +0100
> Fabio Fantoni via samba <samba at lists.samba.org> wrote:
>
>> Hi, recently from Windows clients I have seen anomalous behavior in
>> DNS resolution if there are multiple IP addresses, especially in DCs,
>> referring to different subnets. More specifically the different
>> subnets are mesh VPN networks such as zerotier and netbird.
>>
>> Trying to make only the IPs of the corresponding subnet appear as a
>> result based on where the request comes from, for example if the
>> request comes from the LAN (192.168.1.x) reply with the IP of that
>> subnet and if it comes from zerotier (10.13.100.x) reply with ip of
>> this other subnet, I found "split dns" with use of "view" in bind.
>>
>> Looking at the use of view in Bind it seems that it can be done but
>> using different zones for view, I don't understand if is possible use
>> it with Bind on samba AD and if you can manage to have any IPs of new
>> members who join go to the correct zone and also be able to have the
>> dynamic update still working.
>>
>> Can someone please tell me if is possible doing this with samba AD
>> and DNS management with Bind?
>>
>>
> The IP isn't the problem, it sounds like you didn't use a subdomain of
> your registered dns domain for your AD domain. For example, if your
> registered dns domain is 'example.com', you should have used something
> like 'ad.example.com' for your AD domain.
>
> I am unsure if Samba can do what you require, Microsoft didn't get the
> ability to use split-dns until version 2016 and Samba hasn't got that
> far yet.
>
> Rowland
>
Thanks for reply.
The DNS domains used in AD domain are almost all .local, therefore not
registered domain dns. I know that .local is not good to use and
unfortunately they were created that way many years ago.
Doing some tests, however, I fear it would not work in the case of
"switching" requests via VPN networks if it were not reachable through
the LAN, in the case of requests to the domain controller remotely
(using only mesh VPNs) or in the case of the domain controller or other
servers that use it were booted into disaster recovery connected only
via the internet and mesh networks.
As I had already seen in a few days of testing months ago it is
difficult to reach a solution that works well for this case and I had
also tried with Windows domain controller.
It seemed that he used the LAN IP based on the order, however it was not
always possible to get him to use the correct IP with other sources
other than the LAN but at least basically without modifications he used
the LAN IP.
Even though I couldn't reach my employer's goal I kept the mesh networks
configured on the domain controllers and added more later.
Unfortunately recently I've been experiencing strange problems on
Windows clients which seem to randomly use the different IPs of the
domain controllers causing unexpected events, I haven't yet understood
why this happens.
I was trying to see if with the Samba domain controllers and in
particular with Bind it was possible to do something better than with
Windows but even if I found some possibilities with some manual
configurations using Bind I couldn't understand how to exploit them (if
possible) in Samba AD+bind.
I guess I will have to remove mesh networks (leaving only LAN) on all
domain controllers, both windows and linux, to avoid problems.
--
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com
More information about the samba
mailing list