[Samba] DHCP and DNS
Denis Cardon
dcardon at tranquil.it
Wed Jan 3 09:04:03 UTC 2018
Hi David,
> I know this is samba list and I am hoping that someone with MS AD
> experience can answer this definitively.
>
> Does AD have some kind of data exchange between dhcp and dns so that
> systems which receive a dhcp lease from an AD DC more reliably register
> their hostname with AD DNS? Looking at the RFC I couldn't see any reason
> why this should be the case. But it seems that host name registration for
> all DHCP devices is much more consistent when using AD for the dhcp
> service. Previously we were using our cisco router. It was rather hit and
> miss with DNS registrations that way. We switch to using AD DHCP about 3
> months ago and the numbers of host names registered to AD DNS seems to have
> really improved.
>
> Sorry this isn't strickly a SAMBA question, but I thought of AD had some
> kind of API or data exchange between DHCP and DNS, then samba might also
> have it.
There is some kind of integration between MS DHCP and MS AD for sure:
when doing migration from samba3 to samba4, if one has a MS DHCP
service, then you need to "register" the DHCP service from the MS DHCP
console after migration, otherwise it stops delivering leases. I usually
switch to ISC DHCP at one point or the other, so I didn't dig into the
rationale behind that.
However for registration, my understanding is that is any case
registration goes through authenticated DNS queries from
workstation/server domain members. It is the only way to ensure that a
workstation or server can only register its own name as DNS entry.
Otherwise, with the automatic registration from DHCP service to DNS,
then you technically allow any desktop/phone/IOT to register WPAD and
ISATAP DNS entry and MITM all the traffic that has autodiscovery
enabled, or change the ip address of your file server or anything
else... Actually the two WPAD/ISATAP entries are blocked by default on a
MS DNS server since MSAD2k3, but I think you see my point. Securing your
DNS is paramount for overall network security.
When you where using your cisco routers as DHCP server, did you provide
the ip address of domain controllers as DNS server, or did you have the
cisco doing DNS forwarding?
Cheers,
Denis
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list