[Samba] split horizon and authoritative answers..?

Joachim Lindenberg samba at lindenberg.one
Mon Jul 29 16:45:50 UTC 2019 

I need to implement split horizon DNS, as I have just one external IP address (dynamic.lindenberg.one in external DNS) but multiple internal ones. External requests are distributed by port or using sniproxy (in particular 443), and all externally visible names are in a distinct zone then my domain, but with an additional indirection: names like backup.lindenberg.one resolve to CNAME backup.rot.lindenberg.one, and only backup.rot.lindenberg.one is resolved differently internally/externally.

On my old DC (recently upgraded), I was using bind backend and initially had a zone file with the internal resolution (partly generated by a shell script). Later on I figured out that I can also define that zone in AD, and maintain internal names easy with the RSAT DNS tool, and also removed the zone file.

Now I also installed a new DC, but used the internal backend. The issue now is, that they resolve differently:

 

joachim at cobra:/etc/bind$ dig backup.lindenberg.one @cobra

 

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @cobra

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24127

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: 9948b558362b92988d15885e5d3f20913d1a914b95ee56eb (good)

;; QUESTION SECTION:

;backup.lindenberg.one.         IN      A

 

;; ANSWER SECTION:

backup.lindenberg.one.  300     IN      CNAME   backup.rot.lindenberg.one.

backup.rot.lindenberg.one. 3600 IN      CNAME   alex.samba.lindenberg.one.

alex.samba.lindenberg.one. 1200 IN      A       192.168.177.5

 

;; AUTHORITY SECTION:

samba.lindenberg.one.   900     IN      NS      cobra.samba.lindenberg.one.

samba.lindenberg.one.   900     IN      NS      boa.samba.lindenberg.one.

 

;; ADDITIONAL SECTION:

cobra.samba.lindenberg.one. 900 IN      A       192.168.177.19

boa.samba.lindenberg.one. 900   IN      A       192.168.177.18

 

;; Query time: 22 msec

;; SERVER: 192.168.177.19#53(192.168.177.19)

;; WHEN: Mon Jul 29 18:36:33 CEST 2019

;; MSG SIZE  rcvd: 214

 

joachim at cobra:/etc/bind$ dig backup.lindenberg.one @boa.samba.lindenberg.one

 

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @boa.samba.lindenberg.one

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63515

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;backup.lindenberg.one.         IN      A

 

;; ANSWER SECTION:

backup.lindenberg.one.  277     IN      CNAME   backup.rot.lindenberg.one.

backup.rot.lindenberg.one. 277  IN      CNAME   dynamic.lindenberg.one.

dynamic.lindenberg.one. 97      IN      A       178.10.20.121

 

;; Query time: 1 msec

;; SERVER: 192.168.177.18#53(192.168.177.18)

;; WHEN: Mon Jul 29 18:38:24 CEST 2019

;; MSG SIZE  rcvd: 102

 

To me it looks like that with bind, the external information for which bind feels authoritative is stripped and replaced by internal information, whereas with internal backend this is not done. But of course this is speculative.

The dns forwarder is the same for both.

 

Is my observation correct and maybe also the assumption? If yes, is that behavior as expected? Is bind´s behavior as expected? If all yes, how can I switch to bind? Demote and rejoin?

 

Thanks, Joachim

More information about the samba mailing list