[Samba] AD/DNS: Cannot Create a CNAME record with a blank name...

Peter Milesson miles at atmos.eu
Sat Oct 12 17:53:45 UTC 2024




On 12.10.2024 18:20, John R. Graham via samba wrote:
> On 10/12/24 03:50, Rowland Penny via samba wrote:
>> ...
>> The thing is, your AD domain shouldn't be accessible externally, so
>> what is the 'certain internal server' you need to access ?
>> ...
>
> I would have though that this was an entirely natural state of 
> affairs, specifically that carefully chosen machines which publish 
> services to the Internet at large would also naturally be part of my 
> organization and thus exist within the AD domain. What would be the 
> "best practice" structure? Some sort of DMZ? Resolved with my external 
> domain registrar?
>
> As a side note, the speed and quality of the answers I get on this 
> list has made me feel obliged to set up a monthly donation, which I 
> have now done. Thanks so much for what you do.
>
> - John
>
>
>
Hi John,

I would probably have solved your problem a bit differently with a 
"router on a stick" solution. Some cheap home routers don't know how to 
do this, however. I'm using this in combination with the services 
described below.

I have got a few servers with services exposed to the outside world. 
Those services have got their official internet names (for example 
www.company.eu, smtp.company.eu). The servers servicing requests have 
got completely different internal names and only the specific services 
publicly exposed. In the simplest case, it's just a matter of port 
forwarding in the router to the appropriate server (for example incoming 
SMTP).

In case of services particularly vulnerable to attacks (web), I use a 
transparent proxy on its own VLAN in between. That VLAN is completely 
isolated from everything else, and any attacker will be stopped cold at 
the proxy. The web service is publicly exposed on the router, then all 
web traffic is forwarded to the external proxy interface on the server. 
The proxy server then sends valid requests to the actual web server 
through its internal interface. The bad guys frequently test web servers 
by just making several connections at once (let's say 5 - 10). Just 
imagine that an attacker sends 50,000 connection requests per second 
from different addresses. Those connections just stop at the transparent 
proxy and are not transferred to the actual web server. I have also set 
a limit of 3 connections per 5 seconds from one address in the router 
firewall. Anything in excess, and the IP-address will be blocked for 
some time.

Hosted servers pose particular problems. Also here it's possible to use 
transparent proxies (for example a transparent proxy receiving all 
incoming requests, and forwards valid ones to the actual server). But 
the firewall on the hosted server must be absolutely tight. 
Administrative traffic only from fixed public IP-addresses, and non 
essential traffic completely blocked.

I have a hard time imagining how you intend to use the capability you 
request. Use the router efficiently, setup firewall and forwarding rules 
and just expose those ports, forwarding valid requests to their 
respective servers. If your budget is tight and your bandwidth 
requirements are modest, you could setup a cheapo Linux PC with a few 
virtual machines (KVM, Xen, ProxMox) that take care of things 
efficiently. However, you need a router that can implement the "router 
on a stick" functionality.

And the DMZ stuff is just mumbo jumbo, sales department terminology IMHO.

Hope you got some more ideas how to solve the problem.

Best regards,

Peter




More information about the samba mailing list