[Samba] Samba 4 AD DC and BIND

Gregory Sloop gregs at sloop.net
Wed Mar 13 11:39:15 MDT 2013

>>  If you are doing that,
>> then I suggest you find a different way to operate - the AD DC is the
>> security heart of the network, and should be more protected than that. 

GR> My AD DC is not directly connected to the internet.   It is
GR> behind an internet gateway router which has 53 open and
GR> routing traffic to/from the BIND server on the AD DC.  Nothing unusual about this.

GR> The point of the split DNS and views is exactly to prevent
GR> exposing internal network to the outside world.

Which, to me at least, means that queries from the world are hitting
the BIND server on your AD - which is *exactly* what Andrew was
talking about.

...And when someone finds a way to compromise BIND, your AD is also
totally compromised. It's probably a lot easier to burn down and
rebuild a BIND server vs your whole AD infrastructure.

I guess this whole branch of the discussion is essentially off-topic,
but were I in your shoes, I'd be running a stand-alone BIND server
completely separate from the AD for security as well as simplicity
purposes. [Or moving the "external" DNS services into a service
provider somewhere.]

...Or run it in a VM if you have to. Just don't, IMO, run a
world-reachable BIND server as part of AD.

More information about the samba mailing list