[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

[Rowland Penny]

On Wed, 22 Aug 2018 13:18:47 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> Hello, guys.
> First of all, I would like to thank you all for the time you spend
> with solving my problem. I appreciate that very much. Especially
> Rowland. You make great job every day here on lists.
> 
> > OK, try this:
> > 
> > samba_dnsupdate --verbose --all-names --use-samba-tool
> samba_dnsupdate --verbose --all-names --use-samba-tool
> IPs: ['192.168.45.1']

If you look carefully, they all fail because of this:

> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')


> dc03x.samdom.svmetal.cz 389 Failed update of 28 entries

Yes, it is a failure, but a failure of the script, it shouldn't print
all those Python errors, it should print something like 'No update
required' for each attempted update and then 'No updates required'
What it does show is that it isn't a Samba problem, but something to do
with the interaction of Bind9 and Samba AD.

> > Not sure about that, do your DC's point to themselves as their first
> > nameserver or another DC ?
> 
> I can remember some article about DNS islanding (maybe on Samba wiki
> too), even you and other people discussed it here on lists. But I
> cannot remember, if DC should or should no point to itself. My
> configuration on DCs is (point to itself at third place):
> cat /etc/resolv.conf # Generated by NetworkManager search
> samdom.svmetal.cz nameserver 192.168.1.1
> nameserver 192.168.200.20
> nameserver 127.0.0.1

It is your decision, but I wouldn't allow anything to
change /etc/resolv.conf on a DC.

I can only speak about my experience with the order of
nameservers in /etc/resolv.conf. All my DC's have their ipaddress as
the first nameserver, followed by the other DC's. I never add any
nameservers outside the domain, this is what 'forwarders' is for. I
also never add a 'domain' line.
With a DC based on the above, I have never experienced 'islanding'

Rowland