[Samba] specify alternative port for samba internal dns server

Andrew Bartlett abartlet at samba.org
Sat Feb 28 18:20:53 MST 2015

On Thu, 2015-02-26 at 16:10 -0800, Ben Cohen wrote:
> While expressing your opinions earlier in the thread, the idea was
> raised
> that it is somehow _REQUIRED_ for clients to use the samba internal
> dns
> directly rather than receive dns responses via an intermediary dns
> server
> -- can someone confirm whether or not this is the case?

It is, as GSS-TSIG secured dynamic updates must go directly to the
target server on port 53, they are not proxied.

If you need to run multiple services, and pointing clients at another
DNS server to proxy to samba is a supported configuration, just don't
try and change the port, change the IP (multiple IP addresses on a
single physical adaptor), and ensure that like LDAP, clients can still
reach it directly.

I really should get around to proposing removal of the various 'xxx
port' options for AD services.  These just add complexity and encourage
folks down the wrong line of thought, rather than to virtual interfaces.
The selection of which services are in or not in that list is
essentially random - portmapper on 135, ldap and ldaps also are not
listed, but cldap is!

As to BIND being overkill, the time I've spent working in AD has shown
me that everything looks like overkill until you have to implement
everything that is needed.  The choice of DNS servers seems to be
something folks get very passionate about, I actually wish we had just
mandated BIND9 and put the effort into automating the configuration.
The current situation where users hope for the simplicity of 'internal
DNS' with just one more option 

I hope this helps,

Andrew Bartlett 

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list