samba - Nov 2015 - will bad things happen if samba4 AD not binding 127.0.0.1?

hi:
   my company has two dns servers, but samba4 internal dns forward can only
forward to 1 server.
to workarround it i run dnsmasq as dns cache at 127.0.0.1 and let samba4
dns forward to 127.0.0.1.
my smb.conf looks like:

 dns forwarder = 127.0.0.1
 interfaces = 10.1.1.1
 bind interfaces only = Yes

with the setting samba won't bind to 127.0.0.1, so dnsmasq can use
127.0.0.1 to do the work.
my /etc/resolv.conf point to 10.1.1.1 (samba internal dns)

everything seems work fine. but I want to make sure if this kind of setup
is safe?
if it is safe then I don't need to create another virtual interface just
for dnsmasq.
thanks a lot for help!!


Regards,
tbskyd

On 15/11/15 15:49, d tbsky wrote:
> hi:
>     my company has two dns servers, but samba4 internal dns forward can
only
> forward to 1 server.
> to workarround it i run dnsmasq as dns cache at 127.0.0.1 and let samba4
> dns forward to 127.0.0.1.
> my smb.conf looks like:
>
>   dns forwarder = 127.0.0.1
>   interfaces = 10.1.1.1
>   bind interfaces only = Yes
>
> with the setting samba won't bind to 127.0.0.1, so dnsmasq can use
> 127.0.0.1 to do the work.
> my /etc/resolv.conf point to 10.1.1.1 (samba internal dns)
>
> everything seems work fine. but I want to make sure if this kind of setup
> is safe?
> if it is safe then I don't need to create another virtual interface
just
> for dnsmasq.
> thanks a lot for help!!
>
>
> Regards,
> tbskyd
Oh dear, somebody else getting creative with dns :-)

You do know that the internal DNS server also listens on 127.0.0.1, 
don't you ?

If you must use something else to get two forwarders, use Bind9 instead 
of the internal dns server. The use of dnsmasq is not supported on a 
Samba AD DC.

Rowland

2015-11-16 0:04 GMT+08:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> Oh dear, somebody else getting creative with dns :-)
>
> You do know that the internal DNS server also listens on 127.0.0.1,
don't
> you ?
>
> If you must use something else to get two forwarders, use Bind9 instead of
> the internal dns server. The use of dnsmasq is not supported on a Samba AD
> DC.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

hi:
     if smb.conf only bind eth0, then the internal DNS didn't listen on
127.0.0.1.  I have checked that. i am just worried about bad things when it
is not listen  on 127.0.0.1.

    and in my case I think dnsmasq in not related to samba AD DC. it is
running as a dns cache,  forward to it is just like forward to another dns
server.

     I think i can run dnsmasq at an network interface which is not related
to samba to make it absolutely safe, but I don't know if it is really
necessary to do that. everything seems works fine...

    thanks again for your information!

Regards,
tbskyd

On Sun, 2015-11-15 at 23:49 +0800, d tbsky wrote:
> hi:
>    my company has two dns servers, but samba4 internal dns forward
> can only
> forward to 1 server.
> to workarround it i run dnsmasq as dns cache at 127.0.0.1 and let
> samba4
> dns forward to 127.0.0.1.
> my smb.conf looks like:
> 
>  dns forwarder = 127.0.0.1
>  interfaces = 10.1.1.1
>  bind interfaces only = Yes
> 
> with the setting samba won't bind to 127.0.0.1, so dnsmasq can use
> 127.0.0.1 to do the work.
> my /etc/resolv.conf point to 10.1.1.1 (samba internal dns)
> 
> everything seems work fine. but I want to make sure if this kind of
> setup
> is safe?
> if it is safe then I don't need to create another virtual interface
> just
> for dnsmasq.
> thanks a lot for help!!
It should be OK, and seems like the best workaround so far for the lack
of multiple DNS forwarders. 

Samba shouldn't be making assumptions about what it is bound to beyond
the 'interfaces' line with the 'bind interfaces only' setting.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

2015-11-16 17:08 GMT+08:00 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2015-11-15 at 23:49 +0800, d tbsky wrote:
> > hi:
> >    my company has two dns servers, but samba4 internal dns forward
> > can only
> > forward to 1 server.
> > to workarround it i run dnsmasq as dns cache at 127.0.0.1 and let
> > samba4
> > dns forward to 127.0.0.1.
> > my smb.conf looks like:
> >
> >  dns forwarder = 127.0.0.1
> >  interfaces = 10.1.1.1
> >  bind interfaces only = Yes
> >
> > with the setting samba won't bind to 127.0.0.1, so dnsmasq can use
> > 127.0.0.1 to do the work.
> > my /etc/resolv.conf point to 10.1.1.1 (samba internal dns)
> >
> > everything seems work fine. but I want to make sure if this kind of
> > setup
> > is safe?
> > if it is safe then I don't need to create another virtual
interface
> > just
> > for dnsmasq.
> > thanks a lot for help!!
>
> It should be OK, and seems like the best workaround so far for the lack
> of multiple DNS forwarders.
>
> Samba shouldn't be making assumptions about what it is bound to beyond
> the 'interfaces' line with the 'bind interfaces only'
setting.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
hi:

   thanks for the confirm.  according to the man page, there maybe some
program hard-code to 127.0.0.1 or localhost (smbpasswd). I just hope there
is no such hard-code in AD DC code.

Regards,
tbskyd