samba - Feb 2018 - Which DNS to use for DHCP hostname/IP updates from non-AD & AD nodes?

I am considering which DNS implementation and cannot determine exactly 
when someone should use the Bind9 manner with BIND9_DLZ Module.

For my purposes, I will have AD and non-AD nodes on the network using 
either DHCP or static IP addresses. Some will be Windows & Linux clients 
joined on the Samba AD domain for logins. Some will be Windows & Linux 
clients that are standalone using either DHCP or static IP.

How should I best support this environment as a I move to a single AD 
domain setup with Samba4? I don't need to migrate anything.

In the past, I have supported this arrangement by using DHCP to update 
DNS (Bind9) which worked great for hostnames (reported from clients) and 
IP addresses (allocated from DHCP server).

I've read through these wiki's but cannot determine how to choose.

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End

https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

My questions are:

1) Which DNS implementation should I use?

2) Will I be able to have the non-AD devices register their hostnames 
and IP addresses in the same domain that Samba AD is using? (mine will 
be the recommended subdomain.domain.com and I'd like all DNS entries for 
AD and non-AD to be in the subdomain)

Thanks

On 2/13/2018 3:07 PM, Ken McDonald via samba wrote:
> I am considering which DNS implementation and cannot determine exactly 
> when someone should use the Bind9 manner with BIND9_DLZ Module.
>
> For my purposes, I will have AD and non-AD nodes on the network using 
> either DHCP or static IP addresses. Some will be Windows & Linux 
> clients joined on the Samba AD domain for logins. Some will be Windows 
> & Linux clients that are standalone using either DHCP or static IP.
>
> How should I best support this environment as a I move to a single AD 
> domain setup with Samba4? I don't need to migrate anything.
>
> In the past, I have supported this arrangement by using DHCP to update 
> DNS (Bind9) which worked great for hostnames (reported from clients) 
> and IP addresses (allocated from DHCP server).
>
> I've read through these wiki's but cannot determine how to choose.
>
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
>
> My questions are:
>
> 1) Which DNS implementation should I use?
>
> 2) Will I be able to have the non-AD devices register their hostnames 
> and IP addresses in the same domain that Samba AD is using? (mine will 
> be the recommended subdomain.domain.com and I'd like all DNS entries 
> for AD and non-AD to be in the subdomain)
>
> Thanks
>
>
Will your DHCP server be the one to register the clients DNS names and 
IP's? If so I vote to go with Bind. It's not difficult to switch between
the internal and Bind if you want to change in the future.

As far as clients not associated to the domain and registering their 
IP's and names. Not sure if the DHCP server can be authoritative for 
them. In the past I have used the internal and let the clients update 
their own IP's and names with nonsecure DNS updates. I would advise 
against it though.

-- 
--
James

With Linux DHCP + Bind it was possible to have the DHCP server 
dynamically update Bind as new clients appeared. I don't need the 
clients themselves updating DNS records directly. For those few nodes 
using static IP addresses and not on the AD domain, I'm fine with having 
to manually enter their A/PTR records into the DNS database. IIRC normal 
MS Windows AD DC allows for nodes that are joined to the AD domain and 
have static IP addresses to register with DNS automagically because they 
are trusted.

Really I just need the DHCP to give out IP and some how have those nodes 
resolve by name through DNS. How that happens is totally flexible. I 
need to support nodes on the AD domain and those that are standalone.

On 02/13/2018 03:39 PM, lingpanda101 via samba wrote:
> On 2/13/2018 3:07 PM, Ken McDonald via samba wrote:
>> I am considering which DNS implementation and cannot determine 
>> exactly when someone should use the Bind9 manner with BIND9_DLZ Module.
>>
>> For my purposes, I will have AD and non-AD nodes on the network using 
>> either DHCP or static IP addresses. Some will be Windows & Linux 
>> clients joined on the Samba AD domain for logins. Some will be 
>> Windows & Linux clients that are standalone using either DHCP or 
>> static IP.
>>
>> How should I best support this environment as a I move to a single AD 
>> domain setup with Samba4? I don't need to migrate anything.
>>
>> In the past, I have supported this arrangement by using DHCP to 
>> update DNS (Bind9) which worked great for hostnames (reported from 
>> clients) and IP addresses (allocated from DHCP server).
>>
>> I've read through these wiki's but cannot determine how to
choose.
>>
>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>>
>> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>>
>>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>>
>>
>> My questions are:
>>
>> 1) Which DNS implementation should I use?
>>
>> 2) Will I be able to have the non-AD devices register their hostnames 
>> and IP addresses in the same domain that Samba AD is using? (mine 
>> will be the recommended subdomain.domain.com and I'd like all DNS 
>> entries for AD and non-AD to be in the subdomain)
>>
>> Thanks
>>
>>
> Will your DHCP server be the one to register the clients DNS names and 
> IP's? If so I vote to go with Bind. It's not difficult to switch 
> between the internal and Bind if you want to change in the future.
>
> As far as clients not associated to the domain and registering their 
> IP's and names. Not sure if the DHCP server can be authoritative for 
> them. In the past I have used the internal and let the clients update 
> their own IP's and names with nonsecure DNS updates. I would advise 
> against it though.
>

Hi Ken,
> I am considering which DNS implementation and cannot determine
> exactly when someone should use the Bind9 manner with BIND9_DLZ
> Module.
>
> For my purposes, I will have AD and non-AD nodes on the network
> using either DHCP or static IP addresses. Some will be Windows &
> Linux clients joined on the Samba AD domain for logins. Some will be
> Windows & Linux clients that are standalone using either DHCP or
> static IP.
>
> How should I best support this environment as a I move to a single
> AD domain setup with Samba4? I don't need to migrate anything.
>
> In the past, I have supported this arrangement by using DHCP to
> update DNS (Bind9) which worked great for hostnames (reported from
> clients) and IP addresses (allocated from DHCP server).
>
> I've read through these wiki's but cannot determine how to choose.
>
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
>My questions are:
>
> 1) Which DNS implementation should I use?
if you have a domain with more than a few dozen boxes, you definitly
should go with Bind-DLZ. Bind-DLZ samba module integration is ugly (to
say the least), it need to allow direct LDB file access for Bind9
process... Andreas did underline that during his talk at FOSDEM, and I
totally agree with him that it is really ugly. And Bind-DLZ 
configuration is really not straight forward to setup.

But for larger network, internal DNS unfortunately does not scale well
since it does no caching, and its configuration options are barely minimal.

Currently, Enabling Bind-DLZ gives bind9 process RW access to all the 
samba LDB files (the equivalent of NTDS.DIT if you come from the MSAD 
world) without any filtering, so it has access to all NTLM hashes, all 
Kerberos hashes, and krbtgt account. So if you have a compromission in 
Bind9 process, it could escalate directly to full domain compromission. 
It also prevent enabling any SELinux configuration on the DC.

There has been some mail about this isolation issue. The solution would 
be to use standard LDAP access between Bind9 and Samba processes. It 
would resolve the issue (and make installation much simpler). I hope we 
could get some financing in the future to clean that up.
> 2) Will I be able to have the non-AD devices register their
> hostnames and IP addresses in the same domain that Samba AD is using?
> (mine will be the recommended subdomain.domain.com and I'd like all
> DNS entries for AD and non-AD to be in the subdomain)
In AD domain, all automatic DNS registration is authenticated. A windows
client can only register its own name. If you allow registration through
DHCP query/offer, then a rogue client can register any name, which is 
definitely a security issue (WPAD/ISATAP anyone?).

Cheers,

Denis
>
> Thanks
>
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

I suspected something odd and possibly too invasive was being done by 
the BIND9_DLZ module, especially because of the need to relax AppArmor 
on Ubuntu. Resolving that security problem really should be a 
development priority, but I also realize it's a resource and time issue. 
I suppose because it is not a direct security vulnerability and would 
require Bind9 to be compromised there is faith it won't happen in most 
cases.

Regarding the DHCP/DNS and rogue clients, I suppose I hadn't factored 
that it even though I've been using a similar configuration for years. I 
was using it so there was automatic availability on the network of 
simple devices by hostname, like Cisco switches and random VM's spun up 
for testing. As bad as the implementation is, the MS world has that nice 
NETBIOS broadcast thingy that I believe generally let's you find 
non-AD-joined Windows clients on the same subnet. I was looking for the 
same functionality from non-Windows network nodes.

Guess I'll look into either another layer of security that accomplishes 
the goal without allowing rogue malicious DHCP/DNS attacks, or just 
register the host names manually. There may be an existing feature or 
script available on a Linux node to securely update DNS after DHCP. 
Maybe the same is possible for Cisco, etc.

Thanks for you insight.


On 02/14/2018 05:59 AM, Denis Cardon wrote:
> Hi Ken,
>
>> I am considering which DNS implementation and cannot determine
>> exactly when someone should use the Bind9 manner with BIND9_DLZ
>> Module.
>>
>> For my purposes, I will have AD and non-AD nodes on the network
>> using either DHCP or static IP addresses. Some will be Windows &
>> Linux clients joined on the Samba AD domain for logins. Some will be
>> Windows & Linux clients that are standalone using either DHCP or
>> static IP.
>>
>> How should I best support this environment as a I move to a single
>> AD domain setup with Samba4? I don't need to migrate anything.
>>
>> In the past, I have supported this arrangement by using DHCP to
>> update DNS (Bind9) which worked great for hostnames (reported from
>> clients) and IP addresses (allocated from DHCP server).
>>
>> I've read through these wiki's but cannot determine how to
choose.
>>
>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>>
>> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
>>
>>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>>
>>
>> My questions are:
>>
>> 1) Which DNS implementation should I use?
>
> if you have a domain with more than a few dozen boxes, you definitly
> should go with Bind-DLZ. Bind-DLZ samba module integration is ugly (to
> say the least), it need to allow direct LDB file access for Bind9
> process... Andreas did underline that during his talk at FOSDEM, and I
> totally agree with him that it is really ugly. And Bind-DLZ 
> configuration is really not straight forward to setup.
>
> But for larger network, internal DNS unfortunately does not scale well
> since it does no caching, and its configuration options are barely 
> minimal.
>
> Currently, Enabling Bind-DLZ gives bind9 process RW access to all the 
> samba LDB files (the equivalent of NTDS.DIT if you come from the MSAD 
> world) without any filtering, so it has access to all NTLM hashes, all 
> Kerberos hashes, and krbtgt account. So if you have a compromission in 
> Bind9 process, it could escalate directly to full domain 
> compromission. It also prevent enabling any SELinux configuration on 
> the DC.
>
> There has been some mail about this isolation issue. The solution 
> would be to use standard LDAP access between Bind9 and Samba 
> processes. It would resolve the issue (and make installation much 
> simpler). I hope we could get some financing in the future to clean 
> that up.
>
>> 2) Will I be able to have the non-AD devices register their
>> hostnames and IP addresses in the same domain that Samba AD is using?
>> (mine will be the recommended subdomain.domain.com and I'd like all
>> DNS entries for AD and non-AD to be in the subdomain)
>
> In AD domain, all automatic DNS registration is authenticated. A windows
> client can only register its own name. If you allow registration through
> DHCP query/offer, then a rogue client can register any name, which is 
> definitely a security issue (WPAD/ISATAP anyone?).
>
> Cheers,
>
> Denis
>
>>
>> Thanks
>>
>>
>