samba - Jun 2019 - AD DLZ backend - 'proper' way of doing it

Greetings Rowland.

Are you able to provide sample config about this? I'm not sure how exactly
to resolve single zone with BIND and forward everything else to the next
dns server.

Thank you for the help

On Fri, Jun 28, 2019 at 11:55 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 28/06/2019 09:46, Zdravko Zdravkov via samba wrote:
> > Hey all.
> > I've got working samba AD server with dlz backend. To avoid
performance
> > issues I'm using external DNS which forwards queries for the AD
zone to
> the
> > Samba server, like that:
> >
> >
> > zone "myadzone.int" {
> >>          type forward;
> >>          forwarders { 192.xx.x.xx; };
> >> };
> >
> > 192.xx.x.xx  = my AD Samba.
> >
> > This way it works alright, but on the external DNS I'm getting
errors
> like:
> >
> >
> >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._
> >> udp.AD.INT/SRV/IN': 192.xx.x.xx #53
> >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._
> >> kkdcp.AD.INT/SRV/IN': 192.xx.x.xx #53
> >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._
> >> http.AD.INT/SRV/IN': 192.xx.x.xx #53
> >
> > Which makes me wonder if there's something I'm missing. Can
someone
> provide
> > his working config?
> >
> > Thanks
> > Z
>
> You should be doing it the other way around. Your AD clients should be
> using the AD DC's as their nameservers and anything outside the AD dns
> domain should be forwarded to an external DNS server.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 28/06/2019 10:43, Zdravko Zdravkov wrote:
> Greetings Rowland.
>
> Are you able to provide sample config about this? I'm not sure how 
> exactly to resolve single zone with BIND and forward everything else 
> to the next dns server.
Try reading this:

https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server

Rowland

On 28/06/2019 12:15, Zdravko Zdravkov wrote:
> Hi Rowland.
>
> I've followed your advice. This is how my named.conf looks?like at 
> the?moment:
>
>     include "/usr/local/samba/bind-dns/named.conf";
>     options {
>     ? ? listen-on port 53 { 127.0.0.1; 192.xx.xx.x; };
>     ? ? auth-nxdomain yes;
>     ? ? directory "/var/named";
>     ? ? notify no;
>     ? ? empty-zones-enable no;
>     ? ? # IP addresses and network ranges allowed to query the DNS server:
>     ? ? allow-query {
>     ? ? ? ? 127.0.0.1;
>     ? ? ? ? 192.xx.xx.x/24;
>     ? ? };
>     ? ? # IP addresses and network ranges allowed to run recursive
>     queries:
>     ? ? # (Zones not served by this DNS server)
>     ? ? allow-recursion {
>     ? ? ? ? 127.0.0.1;
>     ? ? ? ? 192.xx.xx.0/24;
>     ? ? };
>     ? ? tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
>     ? ? # Forward queries that can not be answered from own zones
>     ? ? # to these DNS servers:
>     ? ? forwarders {
>     ? ? ? ? xx.xx.xx.xx;
>     ? ? };
>     ? ? # Disable zone transfers
>     ? ? allow-transfer {
>     ? ? ? ? none;
>     ? ? };
>     ?};
>     # Root Servers
>     # (Required for recursive DNS queries)
>     zone "." {
>     ? ?type hint;
>     ? ?file "named.root";
>     };
>     # localhost zone
>     zone "localhost" {
>     ? ? type master;
>     ? ? file "master/localhost.zone";
>     };
>     # 127.0.0. zone.
>     zone "0.0.127.in-addr.arpa" {
>     ? ? type master;
>     ? ? file "master/0.0.127.zone";
>     };
>
>
> Also, I've removed the forward rule on our external DNS.
> Now, all of this works, but running:
>
>     host -a www.samba.org <http://www.samba.org>
>
>
> returns:
>
>     Received 511 bytes from 192.168.40.5#53 in 3 ms
>
>
>
> I'm not sure if the AD server resolves it, or the external DNS.
I've
> already had experience where the clients were using AD as DNS (in our 
> other office) and the performance drop after a week or so was 
> significant, so I'm concerned that this may happen again.
What is '192.168.40.5', this is what replied.

Rowland