[Samba] Which DNS to use for DHCP hostname/IP updates from non-AD & AD nodes?

Denis Cardon dcardon at tranquil.it
Wed Feb 14 10:59:43 UTC 2018 

Hi Ken,

> I am considering which DNS implementation and cannot determine
> exactly when someone should use the Bind9 manner with BIND9_DLZ
> Module.
>
> For my purposes, I will have AD and non-AD nodes on the network
> using either DHCP or static IP addresses. Some will be Windows &
> Linux clients joined on the Samba AD domain for logins. Some will be
> Windows & Linux clients that are standalone using either DHCP or
> static IP.
>
> How should I best support this environment as a I move to a single
> AD domain setup with Samba4? I don't need to migrate anything.
>
> In the past, I have supported this arrangement by using DHCP to
> update DNS (Bind9) which worked great for hostnames (reported from
> clients) and IP addresses (allocated from DHCP server).
>
> I've read through these wiki's but cannot determine how to choose.
>
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
>My questions are:
>
> 1) Which DNS implementation should I use?

if you have a domain with more than a few dozen boxes, you definitly
should go with Bind-DLZ. Bind-DLZ samba module integration is ugly (to
say the least), it need to allow direct LDB file access for Bind9
process... Andreas did underline that during his talk at FOSDEM, and I
totally agree with him that it is really ugly. And Bind-DLZ 
configuration is really not straight forward to setup.

But for larger network, internal DNS unfortunately does not scale well
since it does no caching, and its configuration options are barely minimal.

Currently, Enabling Bind-DLZ gives bind9 process RW access to all the 
samba LDB files (the equivalent of NTDS.DIT if you come from the MSAD 
world) without any filtering, so it has access to all NTLM hashes, all 
Kerberos hashes, and krbtgt account. So if you have a compromission in 
Bind9 process, it could escalate directly to full domain compromission. 
It also prevent enabling any SELinux configuration on the DC.

There has been some mail about this isolation issue. The solution would 
be to use standard LDAP access between Bind9 and Samba processes. It 
would resolve the issue (and make installation much simpler). I hope we 
could get some financing in the future to clean that up.

> 2) Will I be able to have the non-AD devices register their
> hostnames and IP addresses in the same domain that Samba AD is using?
> (mine will be the recommended subdomain.domain.com and I'd like all
> DNS entries for AD and non-AD to be in the subdomain)

In AD domain, all automatic DNS registration is authenticated. A windows
client can only register its own name. If you allow registration through
DHCP query/offer, then a rogue client can register any name, which is 
definitely a security issue (WPAD/ISATAP anyone?).

Cheers,

Denis

>
> Thanks
>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list