[Samba] split horizon and authoritative answers..?
Joachim Lindenberg
samba at lindenberg.one
Mon Jul 29 16:45:50 UTC 2019
I need to implement split horizon DNS, as I have just one external IP address (dynamic.lindenberg.one in external DNS) but multiple internal ones. External requests are distributed by port or using sniproxy (in particular 443), and all externally visible names are in a distinct zone then my domain, but with an additional indirection: names like backup.lindenberg.one resolve to CNAME backup.rot.lindenberg.one, and only backup.rot.lindenberg.one is resolved differently internally/externally.
On my old DC (recently upgraded), I was using bind backend and initially had a zone file with the internal resolution (partly generated by a shell script). Later on I figured out that I can also define that zone in AD, and maintain internal names easy with the RSAT DNS tool, and also removed the zone file.
Now I also installed a new DC, but used the internal backend. The issue now is, that they resolve differently:
joachim at cobra:/etc/bind$ dig backup.lindenberg.one @cobra
; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @cobra
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24127
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9948b558362b92988d15885e5d3f20913d1a914b95ee56eb (good)
;; QUESTION SECTION:
;backup.lindenberg.one. IN A
;; ANSWER SECTION:
backup.lindenberg.one. 300 IN CNAME backup.rot.lindenberg.one.
backup.rot.lindenberg.one. 3600 IN CNAME alex.samba.lindenberg.one.
alex.samba.lindenberg.one. 1200 IN A 192.168.177.5
;; AUTHORITY SECTION:
samba.lindenberg.one. 900 IN NS cobra.samba.lindenberg.one.
samba.lindenberg.one. 900 IN NS boa.samba.lindenberg.one.
;; ADDITIONAL SECTION:
cobra.samba.lindenberg.one. 900 IN A 192.168.177.19
boa.samba.lindenberg.one. 900 IN A 192.168.177.18
;; Query time: 22 msec
;; SERVER: 192.168.177.19#53(192.168.177.19)
;; WHEN: Mon Jul 29 18:36:33 CEST 2019
;; MSG SIZE rcvd: 214
joachim at cobra:/etc/bind$ dig backup.lindenberg.one @boa.samba.lindenberg.one
; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @boa.samba.lindenberg.one
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63515
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;backup.lindenberg.one. IN A
;; ANSWER SECTION:
backup.lindenberg.one. 277 IN CNAME backup.rot.lindenberg.one.
backup.rot.lindenberg.one. 277 IN CNAME dynamic.lindenberg.one.
dynamic.lindenberg.one. 97 IN A 178.10.20.121
;; Query time: 1 msec
;; SERVER: 192.168.177.18#53(192.168.177.18)
;; WHEN: Mon Jul 29 18:38:24 CEST 2019
;; MSG SIZE rcvd: 102
To me it looks like that with bind, the external information for which bind feels authoritative is stripped and replaced by internal information, whereas with internal backend this is not done. But of course this is speculative.
The dns forwarder is the same for both.
Is my observation correct and maybe also the assumption? If yes, is that behavior as expected? Is bind´s behavior as expected? If all yes, how can I switch to bind? Demote and rejoin?
Thanks, Joachim
More information about the samba
mailing list