[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ

L.P.H. van Belle belle at bazuin.nl
Wed May 4 10:26:32 UTC 2022 

Small tip on this one. 
Yes, below what Rowland suggest works fine, I use(d) it also. 
Only you might have/see delays in updateing the slave zones.  

I didn’t like that, so I changed it to forward zoned. 

////  Rotterdam SLAVE
zone " ad.lasthome.solace.krynn " IN {
        type forward;
        forward first;
        forwarders { IP_DC ; IP_OTHER_DC; };
};
zone "0.131.10.in-addr.arpa" {
        type forward;
        forward first;
        forwarders { IP_DC ; IP_OTHER_DC; };
};

Done, no delays on resolvings due not synced slaves. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba Namens Rowland Penny via samba
> Verzonden: woensdag 4 mei 2022 11:17
> Aan: samba at lists.samba.org
> CC: Rowland Penny <rpenny at samba.org>
> Onderwerp: Re: [Samba] declaring Bind9 DNS servers as slaves when using
> Samba AD/DC with BIND9_DLZ
> 
> On Mon, 2022-04-25 at 19:28 -0400, Vincent S. Cojot via samba wrote:
> > Hi all,
> >
> > I have a small isolated 'island' made of two Samba AD/DC VMs. It
> > works
> > fine but is not really fault-tolerant (if one hypervisor crashes,
> > every
> > Windows client will time out for 50% of DNS requests.
> >
> > I was trying to setup my bind infra as DNS 'slaves' of the AD/DC
> > zones but
> > I'm struggling to make it work. I suspect this might be related to
> > having
> > to list my bind DNS servers as authoritative 'NS' servers for my AD
> > DC
> > zones.. Here's what I have:
> >
> > On a RHEL8 bind DNS server, I have declarations such as:
> > zone "_msdcs.ad.lasthome.solace.krynn" IN {
> >          type slave;
> >          masters { 10.0.131.248; 10.0.131.249; };
> >          notify yes;
> >          file "zonedb/named.KRYNN_AD._msdcs";
> >          allow-transfer { any; };
> >          allow-query { any; };
> > };
> > (and the same kind of declaration for _sites, _tcp, _udp...)
> >
> > On my samba, AD/DC servers, I made sure to have:
> >          allow-transfer { any; };
> >
> > Alas, on the BIND9 dns servers, I see this:
> > 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
> > '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer
> > status: REFUSED
> > 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
> > '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer
> > completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
> >
> > This can be matched to these logs on the Samba AD/DC servers:
> > 25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0
> > 10.0.128.242#12714: received notify for zone
> > '_msdcs.ad.lasthome.solace.krynn': not authoritative
> >
> > so communication works but dc01 refuses the zone transfer because it
> > is
> > coming from a server which is not authoritative:
> >
> > Sure enough, when querying the SOA for any of these sub-domains, only
> > my
> > AD/DC servers are listed:
> >
> > # dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn
> > [...]
> > ;; AUTHORITY SECTION:
> > _msdcs.ad.lasthome.solace.krynn. 900 IN
> > NS      dc01.ad.lasthome.solace.krynn.
> > _msdcs.ad.lasthome.solace.krynn. 900 IN
> > NS      dc00.ad.lasthome.solace.krynn.
> >
> > So I have a few questions:
> >
> > - How do I add my bind servers as 'proper' authoritative NS servers
> > for
> > the DNS zones hosted on my AD/DC bind servers. What is the proper way
> > to
> > do this? I tried using RSAT/DNS manager and enabling 'Bind
> > secondaries'
> > but this did not work with Samba AD/DC.
> >
> > - Is it a Bad idea to do this (add bind servers as authoritative DNS
> > servers to my AD zones)? Might it break something in the future?
> >
> > All comments/ideas needed.
> >
> > Thank you,
> >
> > Vincent
> 
> Sorry to be late in replying, but you need 4 things:
> 
> To be running Samba >= 4.15.0
> 
> On the DC with the PDC_Emulator FSMO role, you have 'dns zone transfer
> clients allow = IP_OF_THE_SLAVE_DNS_SERVER' in the smb.conf
> 
> The DC is running a Bind9 dns server with 'allow-transfer {
> IP_OF_THE_SLAVE_DNS_SERVER; };' in /etc/bind/named.conf.options
> 
> Your zones in /etc/bind/named.conf.local , similar to these
> 
> zone "ad.lasthome.solace.krynn" IN {
>      type slave;
>      file "/var/cache/bind/named.KRYNN_AD";
>      masters { 10.0.131.248; };
> };
> 
> zone "_msdcs.ad.lasthome.solace.krynn" IN {
>      type slave;
>      file "/var/cache/bind/named.KRYNN_AD._msdcs";
>      masters { 10.0.131.248; };
> };
> 
> zone "0.131.10.in-addr.arpa" IN {
>      type slave;
>      file "/var/cache/bind/reverse.KRYNN_AD";
>      masters { 10.0.131.248; };
> };
> 
> Where '10.0.131.248' is the IP of the DC with the PDC_Emulator FSMO
> role. It may work with multiple DC's but I haven't tested it.
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list