samba - Aug 2016 - BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008

On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at kania-online.de>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> you should set up a dns-proxy and use this proxy as forwarder in your
> domains
Really, really not the same thing as a DNS slave. If your DNS master,
such as your Samba or AD server, goes toes up for whatever reason, the
DNS slave can continue to serve the same domains until the DNS zones
expire. Most admins I've encountered set that SOA record to be roughly
a day, or 86400 seconds, to allow time for recovery or maintenance.

A DNS forwarder is basically a proxy on port 57, possibly with some
local tweaks to the DNS. And if I run into *one more so-called DNS
forwarder" that is used to write internal IP addresses instead of
external IP addresses for the same hostname when seen from inside a
network, instead of doing DNS view properly, I'm going to be very
cross indeed.

DNS slaves have big advantages for security: they can host only the
DNS, without any LDAP or Kerberos access, and be installed much more
safely in a de-militarized zone to serve specific needs without any
need for anything but port 53 access to the relevant Samba server.

They also provide the opportunity to take copies of the slaved zones,
run them through "mkrdns" to publish and verify reverse DNS records,
run them though "named-compilezone" for completely consistent format,
and store them in source control to be able to track changes.

In this case, you could set up the slaves with NS records for the
relevant domains, just for clarity of provenance, and point the local
hosts to the *slaves* instead of directly to AD or Samba servers. This
avoids the integration complexities of AD or Samba "forests" and
making the servers talk to each other in any way but as DNS services.
And if your Samba environment is under active development, or your AD
server is getting regular updates that require reboots, you're reliant
on a much less expensive and much more easily maintained 24x7 service
on slave DNS servers.

Been there, done that, published my notes on getting this kind of
setup into source control under Subversion at SVNDay in Berlin some
years back. The title was "Subverting Masters and Slaves, Putthing
Them in Cages, and Making Them Report Names and Addresses". The title
reflected that the setup was also in chroot cages and using BIND and
Subversion. The approach is still useful, even with git and Samba
based DNS servers.
> Am 08.08.2016 um 08:20 schrieb bentunx:
>> hi guys
>>
>> i need some advice for my case that i faced here..
>>
>> i have Two AD with two different domain, platform and network :
>>
>> i expect all user in different domain can resolve the other domain
>> dns
>>
>>
>> let say 1. domainwin.com >> windows 2008 AD >> 172.16.1.2
>>
>> 2. domainnux.com >> Samba 4 AD >> 172.16.2.2
>>
>> is it possible if i create 1 new BIND DNS Server in 172.16.3.2
>> (different network) that work as slave DNS of
>> domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2  then i make
>> new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD
>> domainwin.com and AD domainnux.com ?
>>
>>
>> TIA
>>
>> Zhia Chandra
>>
>>
>>
>>
>
> - --
> Stefan Kania
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI
> sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ
> =Q2cS
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

As explained in some other thread here you can set up a Bind server with
zone type forward for that DNS server forward every requests to your DC
(declared as forwarders in these zones).

No need of proxy, no need of building master/slaves, just add:
zone "domainwin.com" IN {
  type forward;
  forward only;
  forwarders {
    <IP of some DC in that domain>;
    <IP of some other DC in that domain>;
    ...
  };
};

Do the same for domainnux.com, use that DNS server as resolver, your
clients will access both domains.
Add forward and recursion on that server and your clients will have access
to internet.

2016-08-09 13:40 GMT+02:00 Nico Kadel-Garcia <nkadel at gmail.com>:
> On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at
kania-online.de>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > you should set up a dns-proxy and use this proxy as forwarder in your
> > domains
>
> Really, really not the same thing as a DNS slave. If your DNS master,
> such as your Samba or AD server, goes toes up for whatever reason, the
> DNS slave can continue to serve the same domains until the DNS zones
> expire. Most admins I've encountered set that SOA record to be roughly
> a day, or 86400 seconds, to allow time for recovery or maintenance.
>
> A DNS forwarder is basically a proxy on port 57, possibly with some
> local tweaks to the DNS. And if I run into *one more so-called DNS
> forwarder" that is used to write internal IP addresses instead of
> external IP addresses for the same hostname when seen from inside a
> network, instead of doing DNS view properly, I'm going to be very
> cross indeed.
>
> DNS slaves have big advantages for security: they can host only the
> DNS, without any LDAP or Kerberos access, and be installed much more
> safely in a de-militarized zone to serve specific needs without any
> need for anything but port 53 access to the relevant Samba server.
>
> They also provide the opportunity to take copies of the slaved zones,
> run them through "mkrdns" to publish and verify reverse DNS
records,
> run them though "named-compilezone" for completely consistent
format,
> and store them in source control to be able to track changes.
>
> In this case, you could set up the slaves with NS records for the
> relevant domains, just for clarity of provenance, and point the local
> hosts to the *slaves* instead of directly to AD or Samba servers. This
> avoids the integration complexities of AD or Samba "forests" and
> making the servers talk to each other in any way but as DNS services.
> And if your Samba environment is under active development, or your AD
> server is getting regular updates that require reboots, you're reliant
> on a much less expensive and much more easily maintained 24x7 service
> on slave DNS servers.
>
> Been there, done that, published my notes on getting this kind of
> setup into source control under Subversion at SVNDay in Berlin some
> years back. The title was "Subverting Masters and Slaves, Putthing
> Them in Cages, and Making Them Report Names and Addresses". The title
> reflected that the setup was also in chroot cages and using BIND and
> Subversion. The approach is still useful, even with git and Samba
> based DNS servers.
>
> > Am 08.08.2016 um 08:20 schrieb bentunx:
> >> hi guys
> >>
> >> i need some advice for my case that i faced here..
> >>
> >> i have Two AD with two different domain, platform and network :
> >>
> >> i expect all user in different domain can resolve the other domain
> >> dns
> >>
> >>
> >> let say 1. domainwin.com >> windows 2008 AD >>
172.16.1.2
> >>
> >> 2. domainnux.com >> Samba 4 AD >> 172.16.2.2
> >>
> >> is it possible if i create 1 new BIND DNS Server in 172.16.3.2
> >> (different network) that work as slave DNS of
> >> domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2  then i make
> >> new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD
> >> domainwin.com and AD domainnux.com ?
> >>
> >>
> >> TIA
> >>
> >> Zhia Chandra
> >>
> >>
> >>
> >>
> >
> > - --
> > Stefan Kania
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.22 (GNU/Linux)
> >
> > iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI
> > sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ
> > =Q2cS
> > -----END PGP SIGNATURE-----
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

great mathias , and other who give some feedback thanks a lot

let me try 1st ..

On 10/08/2016 15:17, mathias dufresne via samba wrote:
> As explained in some other thread here you can set up a Bind server with
> zone type forward for that DNS server forward every requests to your DC
> (declared as forwarders in these zones).
>
> No need of proxy, no need of building master/slaves, just add:
> zone "domainwin.com" IN {
>    type forward;
>    forward only;
>    forwarders {
>      <IP of some DC in that domain>;
>      <IP of some other DC in that domain>;
>      ...
>    };
> };
>
> Do the same for domainnux.com, use that DNS server as resolver, your
> clients will access both domains.
> Add forward and recursion on that server and your clients will have access
> to internet.
>
> 2016-08-09 13:40 GMT+02:00 Nico Kadel-Garcia <nkadel at gmail.com>:
>
>> On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at
kania-online.de>
>> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> you should set up a dns-proxy and use this proxy as forwarder in
your
>>> domains
>> Really, really not the same thing as a DNS slave. If your DNS master,
>> such as your Samba or AD server, goes toes up for whatever reason, the
>> DNS slave can continue to serve the same domains until the DNS zones
>> expire. Most admins I've encountered set that SOA record to be
roughly
>> a day, or 86400 seconds, to allow time for recovery or maintenance.
>>
>> A DNS forwarder is basically a proxy on port 57, possibly with some
>> local tweaks to the DNS. And if I run into *one more so-called DNS
>> forwarder" that is used to write internal IP addresses instead of
>> external IP addresses for the same hostname when seen from inside a
>> network, instead of doing DNS view properly, I'm going to be very
>> cross indeed.
>>
>> DNS slaves have big advantages for security: they can host only the
>> DNS, without any LDAP or Kerberos access, and be installed much more
>> safely in a de-militarized zone to serve specific needs without any
>> need for anything but port 53 access to the relevant Samba server.
>>
>> They also provide the opportunity to take copies of the slaved zones,
>> run them through "mkrdns" to publish and verify reverse DNS
records,
>> run them though "named-compilezone" for completely consistent
format,
>> and store them in source control to be able to track changes.
>>
>> In this case, you could set up the slaves with NS records for the
>> relevant domains, just for clarity of provenance, and point the local
>> hosts to the *slaves* instead of directly to AD or Samba servers. This
>> avoids the integration complexities of AD or Samba "forests"
and
>> making the servers talk to each other in any way but as DNS services.
>> And if your Samba environment is under active development, or your AD
>> server is getting regular updates that require reboots, you're
reliant
>> on a much less expensive and much more easily maintained 24x7 service
>> on slave DNS servers.
>>
>> Been there, done that, published my notes on getting this kind of
>> setup into source control under Subversion at SVNDay in Berlin some
>> years back. The title was "Subverting Masters and Slaves, Putthing
>> Them in Cages, and Making Them Report Names and Addresses". The
title
>> reflected that the setup was also in chroot cages and using BIND and
>> Subversion. The approach is still useful, even with git and Samba
>> based DNS servers.
>>
>>> Am 08.08.2016 um 08:20 schrieb bentunx:
>>>> hi guys
>>>>
>>>> i need some advice for my case that i faced here..
>>>>
>>>> i have Two AD with two different domain, platform and network :
>>>>
>>>> i expect all user in different domain can resolve the other
domain
>>>> dns
>>>>
>>>>
>>>> let say 1. domainwin.com >> windows 2008 AD >>
172.16.1.2
>>>>
>>>> 2. domainnux.com >> Samba 4 AD >> 172.16.2.2
>>>>
>>>> is it possible if i create 1 new BIND DNS Server in 172.16.3.2
>>>> (different network) that work as slave DNS of
>>>> domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2  then i
make
>>>> new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD
>>>> domainwin.com and AD domainnux.com ?
>>>>
>>>>
>>>> TIA
>>>>
>>>> Zhia Chandra
>>>>
>>>>
>>>>
>>>>
>>> - --
>>> Stefan Kania
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.22 (GNU/Linux)
>>>
>>> iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI
>>> sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ
>>> =Q2cS
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>