samba - Oct 2013 - Multiple A records on my parent domain name are confusing hosts

I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz

My domain is example.com
My Samba4 server is myserver.example.com
myserver has two nics: 10.10.10.5 and 192.168.10.2
My externally hosted web site is www.example.com, and is hosted at
123.123.123.123
I have an A and CNAME in DNS like so:

 @     A      123.123.123.123
www   CNAME  example.com.

The above allows internal web browsers to access the external site via
www.example.com or example.com. This works great.

The problem is that every ten minutes when samb's dns update happens, it
keeps putting the following two entries in, which points internal hosts to
the dns server, instead of  the externally hosted web site:
@     A      10.10.10.5
@     A      192.168.10.2


Why do these keep showing up?  I'm sure there is a place that the info is
coming from, but I don't know where, and I desperately need to prevent this
from happening.  I mean, don't get me wrong, I realize what the records
mean, but what I'm trying to do is prevent them from repopulating and
preventing my internal hosts from browsing the web site.  I didn't have
this problem when I could edit the bind files directly, but now that I'm
using bind_dlz for samba, I'm a little lost.

Thanks!

On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote:
> I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz
> 
> My domain is example.com
> My Samba4 server is myserver.example.com
> myserver has two nics: 10.10.10.5 and 192.168.10.2
> My externally hosted web site is www.example.com, and is hosted at
> 123.123.123.123
> I have an A and CNAME in DNS like so:
> 
>  @     A      123.123.123.123
> www   CNAME  example.com.
> 
> The above allows internal web browsers to access the external site via
> www.example.com or example.com. This works great.
> 
> The problem is that every ten minutes when samb's dns update happens,
it
> keeps putting the following two entries in, which points internal hosts to
> the dns server, instead of  the externally hosted web site:
> @     A      10.10.10.5
> @     A      192.168.10.2
> 
> 
> Why do these keep showing up?  I'm sure there is a place that the info
is
> coming from, but I don't know where, and I desperately need to prevent
this
> from happening.  I mean, don't get me wrong, I realize what the records
> mean, but what I'm trying to do is prevent them from repopulating and
> preventing my internal hosts from browsing the web site.  I didn't have
> this problem when I could edit the bind files directly, but now that
I'm
> using bind_dlz for samba, I'm a little lost.
The issue is that Samba controls that name, and tries to set it to match
the network interfaces of the DC, because AD clients may (few actually
do, in this specific case) use this name to find a DC.  See
dns_update_list. 

I suggest breaking the CNAME and not using example.com to find your
website internally. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org