[Samba] Samba 4 AD DC and BIND
greno at verizon.net
Wed Mar 13 12:51:16 MDT 2013
On 03/13/2013 01:39 PM, Gregory Sloop wrote:
>>> If you are doing that,
>>> then I suggest you find a different way to operate - the AD DC is the
>>> security heart of the network, and should be more protected than that.
> GR> My AD DC is not directly connected to the internet. It is
> GR> behind an internet gateway router which has 53 open and
> GR> routing traffic to/from the BIND server on the AD DC. Nothing unusual about this.
> GR> The point of the split DNS and views is exactly to prevent
> GR> exposing internal network to the outside world.
> Which, to me at least, means that queries from the world are hitting
> the BIND server on your AD - which is *exactly* what Andrew was
> talking about.
> ...And when someone finds a way to compromise BIND, your AD is also
> totally compromised. It's probably a lot easier to burn down and
> rebuild a BIND server vs your whole AD infrastructure.
> I guess this whole branch of the discussion is essentially off-topic,
> but were I in your shoes, I'd be running a stand-alone BIND server
> completely separate from the AD for security as well as simplicity
> purposes. [Or moving the "external" DNS services into a service
> provider somewhere.]
> ...Or run it in a VM if you have to. Just don't, IMO, run a
> world-reachable BIND server as part of AD.
I have plenty of installations that are setup running separate DNS machines.
Just not this one which is running just for some testing.
More information about the samba