[Samba] AD/DNS: Cannot Create a CNAME record with a blank name...
Peter Milesson
miles at atmos.eu
Sat Oct 12 17:53:45 UTC 2024
On 12.10.2024 18:20, John R. Graham via samba wrote:
> On 10/12/24 03:50, Rowland Penny via samba wrote:
>> ...
>> The thing is, your AD domain shouldn't be accessible externally, so
>> what is the 'certain internal server' you need to access ?
>> ...
>
> I would have though that this was an entirely natural state of
> affairs, specifically that carefully chosen machines which publish
> services to the Internet at large would also naturally be part of my
> organization and thus exist within the AD domain. What would be the
> "best practice" structure? Some sort of DMZ? Resolved with my external
> domain registrar?
>
> As a side note, the speed and quality of the answers I get on this
> list has made me feel obliged to set up a monthly donation, which I
> have now done. Thanks so much for what you do.
>
> - John
>
>
>
Hi John,
I would probably have solved your problem a bit differently with a
"router on a stick" solution. Some cheap home routers don't know how to
do this, however. I'm using this in combination with the services
described below.
I have got a few servers with services exposed to the outside world.
Those services have got their official internet names (for example
www.company.eu, smtp.company.eu). The servers servicing requests have
got completely different internal names and only the specific services
publicly exposed. In the simplest case, it's just a matter of port
forwarding in the router to the appropriate server (for example incoming
SMTP).
In case of services particularly vulnerable to attacks (web), I use a
transparent proxy on its own VLAN in between. That VLAN is completely
isolated from everything else, and any attacker will be stopped cold at
the proxy. The web service is publicly exposed on the router, then all
web traffic is forwarded to the external proxy interface on the server.
The proxy server then sends valid requests to the actual web server
through its internal interface. The bad guys frequently test web servers
by just making several connections at once (let's say 5 - 10). Just
imagine that an attacker sends 50,000 connection requests per second
from different addresses. Those connections just stop at the transparent
proxy and are not transferred to the actual web server. I have also set
a limit of 3 connections per 5 seconds from one address in the router
firewall. Anything in excess, and the IP-address will be blocked for
some time.
Hosted servers pose particular problems. Also here it's possible to use
transparent proxies (for example a transparent proxy receiving all
incoming requests, and forwards valid ones to the actual server). But
the firewall on the hosted server must be absolutely tight.
Administrative traffic only from fixed public IP-addresses, and non
essential traffic completely blocked.
I have a hard time imagining how you intend to use the capability you
request. Use the router efficiently, setup firewall and forwarding rules
and just expose those ports, forwarding valid requests to their
respective servers. If your budget is tight and your bandwidth
requirements are modest, you could setup a cheapo Linux PC with a few
virtual machines (KVM, Xen, ProxMox) that take care of things
efficiently. However, you need a router that can implement the "router
on a stick" functionality.
And the DMZ stuff is just mumbo jumbo, sales department terminology IMHO.
Hope you got some more ideas how to solve the problem.
Best regards,
Peter
More information about the samba
mailing list