[Samba] Samba DC and DNS best practices

Wed May 20 06:09:30 UTC 2020

Hello Jonathan,
good questions, throwing in my cents..
"ideal .. configuration" - I guess it really depends on what you want to do
and scale of the network. Mine is small (roundabout two dozen machines),
nevertheless I am running two DCs for availability reasons. When I started
that journey, nobody on the list really recommended Samba´s internal backend
in a multi-DC, and for that reason I am using BIND9_DLZ. Initially I also
used bind to serve another local domain, but ultimately figured out it is
easier to maintain it in the directory as yet another DNS zone. Thus if
there were a clear statement from Samba team, that internal backend is fine
with multiple DCs, then I could get rid of bind. Ultimately the question is
what scenarios are subject to
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Introduction "that
the Samba internal DNS server does not support." - this statement is unclear
and thus bind9 is probably the goto solution.
Upstream I am running a pi-hole and then DNS-over-TLS to Cloudflare. Now as
pi-hole is based on dnsmasq I could also use that as the main entry point
for clients and just delegate local zones to Samba. But as windows clients
are supposed to update their (potentially dynamic) addresses I just don´t
know whether this I supposed to work. The error messages suggest they expect
the DNS servers to react to updates. If it were clear they talk to any of
the authoritative servers of the zone, then I´d feel much better with that
approach.
Best Regards, Joachim

-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jonathon Reinhart
via samba
Gesendet: Mittwoch, 20. Mai 2020 04:16
An: samba <samba at lists.samba.org>
Betreff: [Samba] Samba DC and DNS best practices

Hello everyone,

I'm trying to come up with the ideal DNS server configuration in
consideration with Samba AD DC.

The Samba wiki [1] says:

> For high traffic environments, it is not recommended to use
BIND9_DLZ-backed samba as a primary DNS server. Instead, use an external
server that only forwards queries to BIND9_DLZ-backed samba DNS
installations when the query is addressed to a zone managed by that node.

Obviously running BIND9_DLZ is more complex than leveraging Samba's built-in
DNS server. Why bother with BIND9_DLZ, if it is recommended to run a
separate DNS server and forward the AD zone to a DC anyway? What benefit
does use BIND9_DLZ provide?

Backstory:

We used to use Unbound on our pfSense gateway exclusively for DNS. When we
provisioned our domain, we pointed clients at the Samba DCs (running the
built-in DNS server) for DNS. Samba was configured to forward directly to
Google Public DNS, but the latency was poor, as there was no caching on our
end anymore. So we instead forwarded Samba to the old Unbound DNS servers
for internet DNS.

There are various poblems with this setup, namely that Samba doesn't support
"conditional forwarders" [2] so we handle that in Unbound.

Is the right answer (still) to set up separate DNS servers (like BIND or
PowerDNS) and forward the AD zone to Samba?

What about dynamic DNS for non-domain-joined DHCP clients? Their names can't
be trusted in the same zone as the AD domain, so I want the DHCP server to
register them somewhere else. Can Samba DNS handle that zone or should that
be handled by BIND/PowerDNS?

Looking to hear about some of the configurations in use by people here.

Thank you,

Jonathon Reinhart

[1]:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architec
ture
[2]: https://lists.samba.org/archive/samba/2018-December/219978.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba