[Samba] DHCP and DNS

Denis Cardon dcardon at tranquil.it
Wed Jan 3 09:04:03 UTC 2018 

Hi David,

> I know this is samba list and I am hoping that someone with MS AD
> experience can answer this definitively.
>
> Does AD have some kind of data exchange between dhcp and dns so that
> systems which receive a dhcp lease from an AD DC more reliably register
> their hostname with AD DNS?  Looking at the RFC I couldn't see any reason
> why this should be the case. But it seems that host name registration for
> all DHCP devices is much more consistent when using AD for the dhcp
> service. Previously we were using our cisco router. It was rather hit and
> miss with DNS registrations that way. We switch to using AD DHCP about 3
> months ago and the numbers of host names registered to AD DNS seems to have
> really improved.
>
> Sorry this isn't strickly a SAMBA question, but I thought of AD had some
> kind of API or data exchange between DHCP and DNS, then samba might also
> have it.

There is some kind of integration between MS DHCP and MS AD for sure: 
when doing migration from samba3 to samba4, if one has a MS DHCP 
service, then you need to "register" the DHCP service from the MS DHCP 
console after migration, otherwise it stops delivering leases. I usually 
switch to ISC DHCP at one point or the other, so I didn't dig into the 
rationale behind that.

However for registration, my understanding is that is any case 
registration goes through authenticated DNS queries from 
workstation/server domain members. It is the only way to ensure that a 
workstation or server can only register its own name as DNS entry.

Otherwise, with the automatic registration from DHCP service to DNS, 
then you technically allow any desktop/phone/IOT to register WPAD and 
ISATAP DNS entry and MITM all the traffic that has autodiscovery 
enabled, or change the ip address of your file server or anything 
else... Actually the two WPAD/ISATAP entries are blocked by default on a 
MS DNS server since MSAD2k3, but I think you see my point. Securing your 
DNS is paramount for overall network security.

When you where using your cisco routers as DHCP server, did you provide 
the ip address of domain controllers as DNS server, or did you have the 
cisco doing DNS forwarding?

Cheers,

Denis


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list