[Samba] Which DNS to use for DHCP hostname/IP updates from non-AD & AD nodes?
ken at generation.tech
Wed Feb 14 12:54:59 UTC 2018
I suspected something odd and possibly too invasive was being done by
the BIND9_DLZ module, especially because of the need to relax AppArmor
on Ubuntu. Resolving that security problem really should be a
development priority, but I also realize it's a resource and time issue.
I suppose because it is not a direct security vulnerability and would
require Bind9 to be compromised there is faith it won't happen in most
Regarding the DHCP/DNS and rogue clients, I suppose I hadn't factored
that it even though I've been using a similar configuration for years. I
was using it so there was automatic availability on the network of
simple devices by hostname, like Cisco switches and random VM's spun up
for testing. As bad as the implementation is, the MS world has that nice
NETBIOS broadcast thingy that I believe generally let's you find
non-AD-joined Windows clients on the same subnet. I was looking for the
same functionality from non-Windows network nodes.
Guess I'll look into either another layer of security that accomplishes
the goal without allowing rogue malicious DHCP/DNS attacks, or just
register the host names manually. There may be an existing feature or
script available on a Linux node to securely update DNS after DHCP.
Maybe the same is possible for Cisco, etc.
Thanks for you insight.
On 02/14/2018 05:59 AM, Denis Cardon wrote:
> Hi Ken,
>> I am considering which DNS implementation and cannot determine
>> exactly when someone should use the Bind9 manner with BIND9_DLZ
>> For my purposes, I will have AD and non-AD nodes on the network
>> using either DHCP or static IP addresses. Some will be Windows &
>> Linux clients joined on the Samba AD domain for logins. Some will be
>> Windows & Linux clients that are standalone using either DHCP or
>> static IP.
>> How should I best support this environment as a I move to a single
>> AD domain setup with Samba4? I don't need to migrate anything.
>> In the past, I have supported this arrangement by using DHCP to
>> update DNS (Bind9) which worked great for hostnames (reported from
>> clients) and IP addresses (allocated from DHCP server).
>> I've read through these wiki's but cannot determine how to choose.
>> My questions are:
>> 1) Which DNS implementation should I use?
> if you have a domain with more than a few dozen boxes, you definitly
> should go with Bind-DLZ. Bind-DLZ samba module integration is ugly (to
> say the least), it need to allow direct LDB file access for Bind9
> process... Andreas did underline that during his talk at FOSDEM, and I
> totally agree with him that it is really ugly. And Bind-DLZ
> configuration is really not straight forward to setup.
> But for larger network, internal DNS unfortunately does not scale well
> since it does no caching, and its configuration options are barely
> Currently, Enabling Bind-DLZ gives bind9 process RW access to all the
> samba LDB files (the equivalent of NTDS.DIT if you come from the MSAD
> world) without any filtering, so it has access to all NTLM hashes, all
> Kerberos hashes, and krbtgt account. So if you have a compromission in
> Bind9 process, it could escalate directly to full domain
> compromission. It also prevent enabling any SELinux configuration on
> the DC.
> There has been some mail about this isolation issue. The solution
> would be to use standard LDAP access between Bind9 and Samba
> processes. It would resolve the issue (and make installation much
> simpler). I hope we could get some financing in the future to clean
> that up.
>> 2) Will I be able to have the non-AD devices register their
>> hostnames and IP addresses in the same domain that Samba AD is using?
>> (mine will be the recommended subdomain.domain.com and I'd like all
>> DNS entries for AD and non-AD to be in the subdomain)
> In AD domain, all automatic DNS registration is authenticated. A windows
> client can only register its own name. If you allow registration through
> DHCP query/offer, then a rogue client can register any name, which is
> definitely a security issue (WPAD/ISATAP anyone?).
More information about the samba