[Samba] Samba DC and DNS best practices

[Jonathon Reinhart]

Hello everyone,

I'm trying to come up with the ideal DNS server configuration in
consideration with Samba AD DC.

The Samba wiki [1] says:

> For high traffic environments, it is not recommended to use
BIND9_DLZ-backed samba as a primary DNS server. Instead, use an external
server that only forwards queries to BIND9_DLZ-backed samba DNS
installations when the query is addressed to a zone managed by that node.

Obviously running BIND9_DLZ is more complex than leveraging Samba's
built-in DNS server. Why bother with BIND9_DLZ, if it is recommended to run
a separate DNS server and forward the AD zone to a DC anyway? What benefit
does use BIND9_DLZ provide?


Backstory:

We used to use Unbound on our pfSense gateway exclusively for DNS. When we
provisioned our domain, we pointed clients at the Samba DCs (running the
built-in DNS server) for DNS. Samba was configured to forward directly to
Google Public DNS, but the latency was poor, as there was no caching on our
end anymore. So we instead forwarded Samba to the old Unbound DNS servers
for internet DNS.

There are various poblems with this setup, namely that Samba doesn't
support "conditional forwarders" [2] so we handle that in Unbound.

Is the right answer (still) to set up separate DNS servers (like BIND or
PowerDNS) and forward the AD zone to Samba?

What about dynamic DNS for non-domain-joined DHCP clients? Their names
can't be trusted in the same zone as the AD domain, so I want the DHCP
server to register them somewhere else. Can Samba DNS handle that zone or
should that be handled by BIND/PowerDNS?

Looking to hear about some of the configurations in use by people here.

Thank you,

Jonathon Reinhart


[1]:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture
[2]: https://lists.samba.org/archive/samba/2018-December/219978.html