[Samba] Samba 4 AD DC and BIND
gregs at sloop.net
Wed Mar 13 11:39:15 MDT 2013
>> If you are doing that,
>> then I suggest you find a different way to operate - the AD DC is the
>> security heart of the network, and should be more protected than that.
GR> My AD DC is not directly connected to the internet. It is
GR> behind an internet gateway router which has 53 open and
GR> routing traffic to/from the BIND server on the AD DC. Nothing unusual about this.
GR> The point of the split DNS and views is exactly to prevent
GR> exposing internal network to the outside world.
Which, to me at least, means that queries from the world are hitting
the BIND server on your AD - which is *exactly* what Andrew was
...And when someone finds a way to compromise BIND, your AD is also
totally compromised. It's probably a lot easier to burn down and
rebuild a BIND server vs your whole AD infrastructure.
I guess this whole branch of the discussion is essentially off-topic,
but were I in your shoes, I'd be running a stand-alone BIND server
completely separate from the AD for security as well as simplicity
purposes. [Or moving the "external" DNS services into a service
...Or run it in a VM if you have to. Just don't, IMO, run a
world-reachable BIND server as part of AD.
More information about the samba