[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008

bentunx bentunx at gmail.com
Wed Aug 10 11:32:15 UTC 2016

great mathias , and other who give some feedback thanks a lot

let me try 1st ..

On 10/08/2016 15:17, mathias dufresne via samba wrote:
> As explained in some other thread here you can set up a Bind server with
> zone type forward for that DNS server forward every requests to your DC
> (declared as forwarders in these zones).
> No need of proxy, no need of building master/slaves, just add:
> zone "domainwin.com" IN {
>    type forward;
>    forward only;
>    forwarders {
>      <IP of some DC in that domain>;
>      <IP of some other DC in that domain>;
>      ...
>    };
> };
> Do the same for domainnux.com, use that DNS server as resolver, your
> clients will access both domains.
> Add forward and recursion on that server and your clients will have access
> to internet.
> 2016-08-09 13:40 GMT+02:00 Nico Kadel-Garcia <nkadel at gmail.com>:
>> On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at kania-online.de>
>> wrote:
>>> Hash: SHA1
>>> you should set up a dns-proxy and use this proxy as forwarder in your
>>> domains
>> Really, really not the same thing as a DNS slave. If your DNS master,
>> such as your Samba or AD server, goes toes up for whatever reason, the
>> DNS slave can continue to serve the same domains until the DNS zones
>> expire. Most admins I've encountered set that SOA record to be roughly
>> a day, or 86400 seconds, to allow time for recovery or maintenance.
>> A DNS forwarder is basically a proxy on port 57, possibly with some
>> local tweaks to the DNS. And if I run into *one more so-called DNS
>> forwarder" that is used to write internal IP addresses instead of
>> external IP addresses for the same hostname when seen from inside a
>> network, instead of doing DNS view properly, I'm going to be very
>> cross indeed.
>> DNS slaves have big advantages for security: they can host only the
>> DNS, without any LDAP or Kerberos access, and be installed much more
>> safely in a de-militarized zone to serve specific needs without any
>> need for anything but port 53 access to the relevant Samba server.
>> They also provide the opportunity to take copies of the slaved zones,
>> run them through "mkrdns" to publish and verify reverse DNS records,
>> run them though "named-compilezone" for completely consistent format,
>> and store them in source control to be able to track changes.
>> In this case, you could set up the slaves with NS records for the
>> relevant domains, just for clarity of provenance, and point the local
>> hosts to the *slaves* instead of directly to AD or Samba servers. This
>> avoids the integration complexities of AD or Samba "forests" and
>> making the servers talk to each other in any way but as DNS services.
>> And if your Samba environment is under active development, or your AD
>> server is getting regular updates that require reboots, you're reliant
>> on a much less expensive and much more easily maintained 24x7 service
>> on slave DNS servers.
>> Been there, done that, published my notes on getting this kind of
>> setup into source control under Subversion at SVNDay in Berlin some
>> years back. The title was "Subverting Masters and Slaves, Putthing
>> Them in Cages, and Making Them Report Names and Addresses". The title
>> reflected that the setup was also in chroot cages and using BIND and
>> Subversion. The approach is still useful, even with git and Samba
>> based DNS servers.
>>> Am 08.08.2016 um 08:20 schrieb bentunx:
>>>> hi guys
>>>> i need some advice for my case that i faced here..
>>>> i have Two AD with two different domain, platform and network :
>>>> i expect all user in different domain can resolve the other domain
>>>> dns
>>>> let say 1. domainwin.com >> windows 2008 AD >>
>>>> 2. domainnux.com >> Samba 4 AD >>
>>>> is it possible if i create 1 new BIND DNS Server in
>>>> (different network) that work as slave DNS of
>>>> domainwin.com/ and domainnuxcom/  then i make
>>>> new DNS BIND SERVER ( as DNS forwarder in AD
>>>> domainwin.com and AD domainnux.com ?
>>>> TIA
>>>> Zhia Chandra
>>> - --
>>> Stefan Kania
>>> Version: GnuPG v2.0.22 (GNU/Linux)
>>> sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ
>>> =Q2cS
>>> -----END PGP SIGNATURE-----
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list