[Samba] Samba 4 AD DC and BIND

Gerry Reno greno at verizon.net
Wed Mar 13 07:57:50 MDT 2013

On 03/13/2013 12:53 AM, Andrew Bartlett wrote:
> On Mon, 2013-03-11 at 19:16 -0400, Gerry Reno wrote:
>> Since I am using views, where should I include the provision-generated named.conf?
>> Just in the local network view?
> Why are you using views?
> My understanding is that these are normally used when external clients
> and internal clients may hit the same name server.  That implies that
> there is direct internet access to your AD DC.  If you are doing that,
> then I suggest you find a different way to operate - the AD DC is the
> security heart of the network, and should be more protected than that. 
> One approach is to have your DNS server (with views) use a zone of type
> 'forward' to point at the Samba server, which would not need to know
> about these complex thigs. 
> Otherwise, if you insist you will have to manually determine how the
> view statements and the include statements interact.  This hasn't ever
> been done before, and I don't know if the dlz module is compatible with
> that, as it dynamically creates the zones. 
> Andrew Bartlett

My AD DC is not directly connected to the internet.   It is behind an internet gateway router which has 53 open and
routing traffic to/from the BIND server on the AD DC.  Nothing unusual about this.

The point of the split DNS and views is exactly to prevent exposing internal network to the outside world.

I am going to try the dlz with the views.  I can think of no reason why it should not work.  If I run into trouble I'll
post back.


More information about the samba mailing list