[Samba] Samba DC and DNS best practices

Andrew Bartlett abartlet at samba.org
Wed May 20 09:32:45 UTC 2020

On Tue, 2020-05-19 at 22:16 -0400, Jonathon Reinhart via samba wrote:
> Hello everyone,
> I'm trying to come up with the ideal DNS server configuration in
> consideration with Samba AD DC.
> The Samba wiki [1] says:
> > For high traffic environments, it is not recommended to use
> BIND9_DLZ-backed samba as a primary DNS server. Instead, use an
> external
> server that only forwards queries to BIND9_DLZ-backed samba DNS
> installations when the query is addressed to a zone managed by that
> node.
> Obviously running BIND9_DLZ is more complex than leveraging Samba's
> built-in DNS server. Why bother with BIND9_DLZ, if it is recommended
> to run
> a separate DNS server and forward the AD zone to a DC anyway? What
> benefit
> does use BIND9_DLZ provide?

That has multiple answers:
 - Orginally BIND9_DLZ was the only option, we didn't want to write a
DNS server (that sounded complex) so we used that one.
 - Others on the team wanted to have Samba be an 'out of the box'
solution and 'how hard can it be anyway'.  It turns out quite hard, but
it does mean we can control everything.

Before we hit that performance issue the thinking was
 - internal to get going fast, small installations
 - BIND9_DLZ for large installs were using a 'proper' DNS server would

However then we found that the typical install just hammered the DB
checking if maybe we had added google.com as a zone in the past few
milliseconds, while blocking every thread and not doing any recursive

> Backstory:
> We used to use Unbound on our pfSense gateway exclusively for DNS.
> When we
> provisioned our domain, we pointed clients at the Samba DCs (running
> the
> built-in DNS server) for DNS. Samba was configured to forward
> directly to
> Google Public DNS, but the latency was poor, as there was no caching
> on our
> end anymore. So we instead forwarded Samba to the old Unbound DNS
> servers
> for internet DNS.
> There are various poblems with this setup, namely that Samba doesn't
> support "conditional forwarders" [2] so we handle that in Unbound.
> Is the right answer (still) to set up separate DNS servers (like BIND
> or
> PowerDNS) and forward the AD zone to Samba?


> What about dynamic DNS for non-domain-joined DHCP clients? Their
> names
> can't be trusted in the same zone as the AD domain, so I want the
> server to register them somewhere else. Can Samba DNS handle that
> zone or
> should that be handled by BIND/PowerDNS?

They should ask for the SOA and do the update.  They don't need to
point directly to the Samba DNS server for that.

Andrew Bartlett
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list