[Samba] DNC and DNS

Rowland penny rpenny at samba.org
Fri Jul 5 19:11:12 UTC 2019 

On 05/07/2019 20:03, Robert A Wooldridge via samba wrote:
> On 07/05/2019 01:55 PM, Rowland penny via samba wrote:
>> I currently run tinydns and dnscache on my proxy machine.  I was 
>> hoping to keep that going.  I have a Windows Server2004 doing DC work 
>> right now.  Need to update that.
>>>
>>> -- 
>>> Bob Wooldridge
>>>
>> You can run a caching nameserver that forwards your AD dns zones to 
>> your AD DC, but you can only use the Samba internal dns server or 
>> Bind9 with a Samba AD DC. This is because the dns server must be able 
>> to update the records in AD and they are the only two that can.
> Can you point me to some document that explains how caching would work 
> with samba's dns in the manor you are suggesting?
>
> -- 
> Bob Wooldridge
>
We do not have anything in the wiki, but I have been working on 
something to add, see the attached file.

It is a bit rough around the edges (I haven't finished it yet), but it 
has had minimal testing and is based upon information supplied by 
someone who has been doing this for some years.

Rowland


-------------- next part --------------



Setting up Bind as a Caching_Forwarding DNS Server 

The following data will be used in the configuration of Bind9

DNS Server:             192.168.0.2
DNS Domain:             samdom.example.com
Netmask:                192.168.0.0./24
Samba AD DC's:          192.168.0.4 & 192.168.0.5
External DNS servers:   8.8.8.8 & 8.8.4.4 # Google

Install Bind9

 sudo apt-get update
 sudo apt-get install bind9 bind9utils

Configure Bind9 as a Caching/forwarding DNS Server

To only use IPv4, you need to modify /etc/default/bind9

 OPTIONS="-u bind -4"

Modify /etc/bind/named.conf.options

 acl allow_clients {
         192.168.0.0/24;
         localhost;
         localnets;
 };
 
 options {
         directory "/var/cache/bind";
 
         recursion yes;
         allow-query { allow_clients; };
 
         forwarders {
                 8.8.8.8;
                 8.8.4.4;
         };
         forward only;
 
         dnssec-enable yes;
         dnssec-validation yes;
 
         auth-nxdomain no;    # conform to RFC1035
         listen-on-v6 { any; };
 };


Modify /etc/bind/named.conf.local

 zone "samdom.example.com" {
     type forward;
     forwarders { 192.168.0.4; 192.168.0.5; };
 };
 
 zone "_msdcs.samdom.example.com" {
     type forward;
     forwarders { 192.168.0.4; 192.168.0.5; };
 };
 
 zone "0.168.192.in-addr.arpa" {
     type forward;
     forwarders { 192.168.0.4; 192.168.0.5; };
 };


Test the Configuration

 sudo named-checkconf

If there are any syntax errors in the configuration, you will be alerted to the error and given the  line number where it occurs. 
If this happens, go back and check the files for errors.

Start Bind9

 sudo service bind9 start


Client Machine configuration

Your client machines need to use the caching DNS server for queries and have an ipaddress in the allowed range, they must also use caching DNS server as their nameserver.

On a Unix machine, open /etc/resolv.conf and set the caching DNS server as the first nameserver:

 search samdom.example.com
 nameserver 192.168.0.2
 nameserver 192.168.0.4
 nameserver 192.168.0.5

# FIXME add how to set up Windows machines.

Now, you can test to make sure queries can resolve correctly by using some common tools.

You can use ping to test that connections can be made to domains:

ping -c 1 google.com

PING google.com (216.58.210.46) 56(84) bytes of data.
64 bytes from lhr25s11-in-f46.1e100.net (216.58.210.46): icmp_seq=1 ttl=54 time=27.3 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.383/27.383/27.383/0.000 ms


This means that the client can connect with google.com using the DNS server.

You can get more detailed information by using DNS specific tools like dig. Try a different domain this time:

dig samba.org

 ; <<>> DiG 9.10.3-P4-Debian <<>> samba.org
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4933
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;samba.org.			IN	A
 
 ;; ANSWER SECTION:
 samba.org.		21599	IN	A	144.76.82.156
 
 ;; AUTHORITY SECTION:
 .			62700	IN	NS	j.root-servers.net.
 .			62700	IN	NS	f.root-servers.net.
 .			62700	IN	NS	d.root-servers.net.
 .			62700	IN	NS	l.root-servers.net.
 .			62700	IN	NS	c.root-servers.net.
 .			62700	IN	NS	b.root-servers.net.
 .			62700	IN	NS	k.root-servers.net.
 .			62700	IN	NS	e.root-servers.net.
 .			62700	IN	NS	h.root-servers.net.
 .			62700	IN	NS	g.root-servers.net.
 .			62700	IN	NS	i.root-servers.net.
 .			62700	IN	NS	m.root-servers.net.
 .			62700	IN	NS	a.root-servers.net.
 
 ;; Query time: 36 msec
 ;; SERVER: 192.168.0.2#53(192.168.0.2)
 ;; WHEN: Sun Jun 30 12:27:52 BST 2019
 ;; MSG SIZE  rcvd: 265


You can see that the query took 36 milliseconds. If you make the request again, the server should pull the data from its cache, decreasing the response time:

dig samba.org

 ; <<>> DiG 9.10.3-P4-Debian <<>> samba.org
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61392
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;samba.org.			IN	A
 
 ;; ANSWER SECTION:
 samba.org.		21534	IN	A	144.76.82.156
 
 ;; AUTHORITY SECTION:
 .			62635	IN	NS	b.root-servers.net.
 .			62635	IN	NS	e.root-servers.net.
 .			62635	IN	NS	l.root-servers.net.
 .			62635	IN	NS	k.root-servers.net.
 .			62635	IN	NS	m.root-servers.net.
 .			62635	IN	NS	h.root-servers.net.
 .			62635	IN	NS	i.root-servers.net.
 .			62635	IN	NS	c.root-servers.net.
 .			62635	IN	NS	g.root-servers.net.
 .			62635	IN	NS	a.root-servers.net.
 .			62635	IN	NS	f.root-servers.net.
 .			62635	IN	NS	j.root-servers.net.
 .			62635	IN	NS	d.root-servers.net.
 
 ;; Query time: 0 msec
 ;; SERVER: 192.168.0.2#53(192.168.0.2)
 ;; WHEN: Sun Jun 30 12:28:58 BST 2019
 ;; MSG SIZE  rcvd: 265


As you can see, the cached response is significantly faster.

You can also test the reverse lookup by using the IP address that was found (144.76.82.156 in this case) with dig's -x option:

dig -x 144.76.82.156

 ; <<>> DiG 9.10.3-P4-Debian <<>> -x 144.76.82.156
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65017
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;156.82.76.144.in-addr.arpa.	IN	PTR
 
 ;; ANSWER SECTION:
 156.82.76.144.in-addr.arpa. 21599 IN	PTR	hr3.samba.org.
 
 ;; AUTHORITY SECTION:
 .			62578	IN	NS	l.root-servers.net.
 .			62578	IN	NS	c.root-servers.net.
 .			62578	IN	NS	k.root-servers.net.
 .			62578	IN	NS	e.root-servers.net.
 .			62578	IN	NS	b.root-servers.net.
 .			62578	IN	NS	h.root-servers.net.
 .			62578	IN	NS	j.root-servers.net.
 .			62578	IN	NS	d.root-servers.net.
 .			62578	IN	NS	a.root-servers.net.
 .			62578	IN	NS	i.root-servers.net.
 .			62578	IN	NS	f.root-servers.net.
 .			62578	IN	NS	g.root-servers.net.
 .			62578	IN	NS	m.root-servers.net.
 
 ;; Query time: 39 msec
 ;; SERVER: 192.168.0.2#53(192.168.0.2)
 ;; WHEN: Sun Jun 30 12:29:55 BST 2019
 ;; MSG SIZE  rcvd: 293

As you can see, the reverse lookup also succeeds.

Now to test the Samba AD dns domain:

dig samdom.example.com

 ; <<>> DiG 9.10.3-P4-Debian <<>> samdom.example.com
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44000
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;samdom.example.com.		IN	A
 
 ;; ANSWER SECTION:
 samdom.example.com.	900	IN	A	192.168.0.4
 samdom.example.com.	900	IN	A	192.168.0.5
 
 ;; AUTHORITY SECTION:
 samdom.example.com.	531	IN	NS	dc4.samdom.example.com.
 samdom.example.com.	531	IN	NS	dc5.samdom.example.com.
 
 ;; ADDITIONAL SECTION:
 dc4.samdom.example.com.	531	IN	A	192.168.0.4
 dc5.samdom.example.com.	530	IN	A	192.168.0.5
 
 ;; Query time: 5 msec
 ;; SERVER: 192.168.0.277#53(192.168.0.277)
 ;; WHEN: Sun Jun 30 10:59:09 BST 2019
 ;; MSG SIZE  rcvd: 147

dig _mscds.samdom.example.com

 ; <<>> DiG 9.10.3-P4-Debian <<>> _mscds.samdom.example.com
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20318
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;_mscds.samdom.example.com.	IN	A
 
 ;; AUTHORITY SECTION:
 samdom.example.com.	3600	IN	SOA	dc4.samdom.example.com. hostmaster.samdom.example.com. 8289 900 600 86400 3600
 
 ;; Query time: 5 msec
 ;; SERVER: 192.168.0.277#53(192.168.0.277)
 ;; WHEN: Sun Jun 30 11:00:43 BST 2019
 ;; MSG SIZE  rcvd: 105

dig -x 192.168.0.4

 ; <<>> DiG 9.10.3-P4-Debian <<>> -x 192.168.0.4
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22894
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;6.0.168.192.in-addr.arpa.	IN	PTR
 
 ;; ANSWER SECTION:
 6.0.168.192.in-addr.arpa. 900	IN	PTR	dc4.samdom.example.com.
 
 ;; AUTHORITY SECTION:
 0.168.192.in-addr.arpa.	3600	IN	NS	dc5.samdom.example.com.
 
 ;; ADDITIONAL SECTION:
 dc5.samdom.example.com.	293	IN	A	192.168.0.5
 
 ;; Query time: 5 msec
 ;; SERVER: 192.168.0.277#53(192.168.0.277)
 ;; WHEN: Sun Jun 30 11:03:06 BST 2019
 ;; MSG SIZE  rcvd: 123

More information about the samba mailing list