[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008

Nico Kadel-Garcia nkadel at gmail.com
Tue Aug 9 11:40:04 UTC 2016 

On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at kania-online.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> you should set up a dns-proxy and use this proxy as forwarder in your
> domains

Really, really not the same thing as a DNS slave. If your DNS master,
such as your Samba or AD server, goes toes up for whatever reason, the
DNS slave can continue to serve the same domains until the DNS zones
expire. Most admins I've encountered set that SOA record to be roughly
a day, or 86400 seconds, to allow time for recovery or maintenance.

A DNS forwarder is basically a proxy on port 57, possibly with some
local tweaks to the DNS. And if I run into *one more so-called DNS
forwarder" that is used to write internal IP addresses instead of
external IP addresses for the same hostname when seen from inside a
network, instead of doing DNS view properly, I'm going to be very
cross indeed.

DNS slaves have big advantages for security: they can host only the
DNS, without any LDAP or Kerberos access, and be installed much more
safely in a de-militarized zone to serve specific needs without any
need for anything but port 53 access to the relevant Samba server.

They also provide the opportunity to take copies of the slaved zones,
run them through "mkrdns" to publish and verify reverse DNS records,
run them though "named-compilezone" for completely consistent format,
and store them in source control to be able to track changes.

In this case, you could set up the slaves with NS records for the
relevant domains, just for clarity of provenance, and point the local
hosts to the *slaves* instead of directly to AD or Samba servers. This
avoids the integration complexities of AD or Samba "forests" and
making the servers talk to each other in any way but as DNS services.
And if your Samba environment is under active development, or your AD
server is getting regular updates that require reboots, you're reliant
on a much less expensive and much more easily maintained 24x7 service
on slave DNS servers.

Been there, done that, published my notes on getting this kind of
setup into source control under Subversion at SVNDay in Berlin some
years back. The title was "Subverting Masters and Slaves, Putthing
Them in Cages, and Making Them Report Names and Addresses". The title
reflected that the setup was also in chroot cages and using BIND and
Subversion. The approach is still useful, even with git and Samba
based DNS servers.

> Am 08.08.2016 um 08:20 schrieb bentunx:
>> hi guys
>>
>> i need some advice for my case that i faced here..
>>
>> i have Two AD with two different domain, platform and network :
>>
>> i expect all user in different domain can resolve the other domain
>> dns
>>
>>
>> let say 1. domainwin.com >> windows 2008 AD >> 172.16.1.2
>>
>> 2. domainnux.com >> Samba 4 AD >> 172.16.2.2
>>
>> is it possible if i create 1 new BIND DNS Server in 172.16.3.2
>> (different network) that work as slave DNS of
>> domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2  then i make
>> new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD
>> domainwin.com and AD domainnux.com ?
>>
>>
>> TIA
>>
>> Zhia Chandra
>>
>>
>>
>>
>
> - --
> Stefan Kania
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI
> sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ
> =Q2cS
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list