[Samba] split horizon and authoritative answers..?
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 30 07:53:09 UTC 2019
Hai,
Have you ever tried this with a systemd networking setup.
I suggest you try this, this at least helped me with some split dns issues.
Below shows how i did it.
Configure you network with system, the configs..
#/etc/systemd/network/lan-dev.network
#
# Configure global settings in /etc/systemd/*.conf
#
# Dont forget : rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
# ( Optional, you can use static resolv.conf also )
#
# Config below disables ipv6
[Match]
Name=eth0
[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
# we want NTP synced with AD-DC's
# ip, hostname or cnames are allowed here.
NTP=IP-AD-DC1 AD-DC-IP2
#
DNS=IP1 IP2
#
Domains=primary.dnsdomain.tld alias.domain.tld domain.tld
# Optional extra IP
#Address=IP/mask
# optional set extra gateway for this interface
#Gateway=x.x.x.x/x
# Optional set extra routes.
#[Route]
#Destination=y.y.y.y/y
#Gateway=y.y.y.y
Interface 2 :
/etc/systemd/network/wan-dev.network
[Match]
Name=eth1
[Network]
DHCP=no
DNSSEC=allow-downgrade
LLMNR=no
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
DNS=IP_INTERNET_DNS1 IP_INTERNET_DNS1
Domains=internetDomain.tld
# IPv4 gateway and primary address.
Address=X.X.X.X/XX
Gateway=X.X.X.X
#[Route]
#Destination=x.x.x.x/x
#Gateway=x.x.x.x
Now, traffice on wan, will use the internet DNS and lan DNS on Lan.
CLIENT requests are determined by /etc/resolv.conf
If you have requests from you server itself, then setup a caching dns server.
And add forwarding zones and point the first nameserver in resolv.conf to localhost.
Something like this, you need bind9 for this example.
//
// Lan zones point to AD-DC DNS.
//
zone "ad-zone.dnsdomain.tld" {
type forward;
forward only;
forwarders { IP_DC1; IP_DC2; };
};
// change the XXX to your reverse ip range
zone "XXX.XXX.in-addr.arpa" {
type forward;
forward only;
forwarders { IP_DC1; IP_DC2; };
};
Ps. If you using Debian Buster or bind 9.11+
You might need more changes.
If thats that case mail again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Joachim Lindenberg via samba
> Verzonden: maandag 29 juli 2019 18:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] split horizon and authoritative answers..?
>
> I need to implement split horizon DNS, as I have just one
> external IP address (dynamic.lindenberg.one in external DNS)
> but multiple internal ones. External requests are distributed
> by port or using sniproxy (in particular 443), and all
> externally visible names are in a distinct zone then my
> domain, but with an additional indirection: names like
> backup.lindenberg.one resolve to CNAME
> backup.rot.lindenberg.one, and only backup.rot.lindenberg.one
> is resolved differently internally/externally.
>
> On my old DC (recently upgraded), I was using bind backend
> and initially had a zone file with the internal resolution
> (partly generated by a shell script). Later on I figured out
> that I can also define that zone in AD, and maintain internal
> names easy with the RSAT DNS tool, and also removed the zone file.
>
> Now I also installed a new DC, but used the internal backend.
> The issue now is, that they resolve differently:
>
>
>
> joachim at cobra:/etc/bind$ dig backup.lindenberg.one @cobra
>
>
>
> ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @cobra
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24127
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ; COOKIE: 9948b558362b92988d15885e5d3f20913d1a914b95ee56eb (good)
>
> ;; QUESTION SECTION:
>
> ;backup.lindenberg.one. IN A
>
>
>
> ;; ANSWER SECTION:
>
> backup.lindenberg.one. 300 IN CNAME
> backup.rot.lindenberg.one.
>
> backup.rot.lindenberg.one. 3600 IN CNAME
> alex.samba.lindenberg.one.
>
> alex.samba.lindenberg.one. 1200 IN A 192.168.177.5
>
>
>
> ;; AUTHORITY SECTION:
>
> samba.lindenberg.one. 900 IN NS
> cobra.samba.lindenberg.one.
>
> samba.lindenberg.one. 900 IN NS
> boa.samba.lindenberg.one.
>
>
>
> ;; ADDITIONAL SECTION:
>
> cobra.samba.lindenberg.one. 900 IN A 192.168.177.19
>
> boa.samba.lindenberg.one. 900 IN A 192.168.177.18
>
>
>
> ;; Query time: 22 msec
>
> ;; SERVER: 192.168.177.19#53(192.168.177.19)
>
> ;; WHEN: Mon Jul 29 18:36:33 CEST 2019
>
> ;; MSG SIZE rcvd: 214
>
>
>
> joachim at cobra:/etc/bind$ dig backup.lindenberg.one
> @boa.samba.lindenberg.one
>
>
>
> ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>>
> backup.lindenberg.one @boa.samba.lindenberg.one
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63515
>
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
> ADDITIONAL: 0
>
>
>
> ;; QUESTION SECTION:
>
> ;backup.lindenberg.one. IN A
>
>
>
> ;; ANSWER SECTION:
>
> backup.lindenberg.one. 277 IN CNAME
> backup.rot.lindenberg.one.
>
> backup.rot.lindenberg.one. 277 IN CNAME
> dynamic.lindenberg.one.
>
> dynamic.lindenberg.one. 97 IN A 178.10.20.121
>
>
>
> ;; Query time: 1 msec
>
> ;; SERVER: 192.168.177.18#53(192.168.177.18)
>
> ;; WHEN: Mon Jul 29 18:38:24 CEST 2019
>
> ;; MSG SIZE rcvd: 102
>
>
>
> To me it looks like that with bind, the external information
> for which bind feels authoritative is stripped and replaced
> by internal information, whereas with internal backend this
> is not done. But of course this is speculative.
>
> The dns forwarder is the same for both.
>
>
>
> Is my observation correct and maybe also the assumption? If
> yes, is that behavior as expected? Is bind´s behavior as
> expected? If all yes, how can I switch to bind? Demote and rejoin?
>
>
>
> Thanks, Joachim
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list