[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008

bentunx bentunx at gmail.com
Wed Aug 10 11:32:15 UTC 2016


great mathias , and other who give some feedback thanks a lot

let me try 1st ..

On 10/08/2016 15:17, mathias dufresne via samba wrote:
> As explained in some other thread here you can set up a Bind server with
> zone type forward for that DNS server forward every requests to your DC
> (declared as forwarders in these zones).
>
> No need of proxy, no need of building master/slaves, just add:
> zone "domainwin.com" IN {
>    type forward;
>    forward only;
>    forwarders {
>      <IP of some DC in that domain>;
>      <IP of some other DC in that domain>;
>      ...
>    };
> };
>
> Do the same for domainnux.com, use that DNS server as resolver, your
> clients will access both domains.
> Add forward and recursion on that server and your clients will have access
> to internet.
>
> 2016-08-09 13:40 GMT+02:00 Nico Kadel-Garcia <nkadel at gmail.com>:
>
>> On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at kania-online.de>
>> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> you should set up a dns-proxy and use this proxy as forwarder in your
>>> domains
>> Really, really not the same thing as a DNS slave. If your DNS master,
>> such as your Samba or AD server, goes toes up for whatever reason, the
>> DNS slave can continue to serve the same domains until the DNS zones
>> expire. Most admins I've encountered set that SOA record to be roughly
>> a day, or 86400 seconds, to allow time for recovery or maintenance.
>>
>> A DNS forwarder is basically a proxy on port 57, possibly with some
>> local tweaks to the DNS. And if I run into *one more so-called DNS
>> forwarder" that is used to write internal IP addresses instead of
>> external IP addresses for the same hostname when seen from inside a
>> network, instead of doing DNS view properly, I'm going to be very
>> cross indeed.
>>
>> DNS slaves have big advantages for security: they can host only the
>> DNS, without any LDAP or Kerberos access, and be installed much more
>> safely in a de-militarized zone to serve specific needs without any
>> need for anything but port 53 access to the relevant Samba server.
>>
>> They also provide the opportunity to take copies of the slaved zones,
>> run them through "mkrdns" to publish and verify reverse DNS records,
>> run them though "named-compilezone" for completely consistent format,
>> and store them in source control to be able to track changes.
>>
>> In this case, you could set up the slaves with NS records for the
>> relevant domains, just for clarity of provenance, and point the local
>> hosts to the *slaves* instead of directly to AD or Samba servers. This
>> avoids the integration complexities of AD or Samba "forests" and
>> making the servers talk to each other in any way but as DNS services.
>> And if your Samba environment is under active development, or your AD
>> server is getting regular updates that require reboots, you're reliant
>> on a much less expensive and much more easily maintained 24x7 service
>> on slave DNS servers.
>>
>> Been there, done that, published my notes on getting this kind of
>> setup into source control under Subversion at SVNDay in Berlin some
>> years back. The title was "Subverting Masters and Slaves, Putthing
>> Them in Cages, and Making Them Report Names and Addresses". The title
>> reflected that the setup was also in chroot cages and using BIND and
>> Subversion. The approach is still useful, even with git and Samba
>> based DNS servers.
>>
>>> Am 08.08.2016 um 08:20 schrieb bentunx:
>>>> hi guys
>>>>
>>>> i need some advice for my case that i faced here..
>>>>
>>>> i have Two AD with two different domain, platform and network :
>>>>
>>>> i expect all user in different domain can resolve the other domain
>>>> dns
>>>>
>>>>
>>>> let say 1. domainwin.com >> windows 2008 AD >> 172.16.1.2
>>>>
>>>> 2. domainnux.com >> Samba 4 AD >> 172.16.2.2
>>>>
>>>> is it possible if i create 1 new BIND DNS Server in 172.16.3.2
>>>> (different network) that work as slave DNS of
>>>> domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2  then i make
>>>> new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD
>>>> domainwin.com and AD domainnux.com ?
>>>>
>>>>
>>>> TIA
>>>>
>>>> Zhia Chandra
>>>>
>>>>
>>>>
>>>>
>>> - --
>>> Stefan Kania
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (GNU/Linux)
>>>
>>> iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI
>>> sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ
>>> =Q2cS
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list