On 05/07/2019 20:03, Robert A Wooldridge via samba
wrote:> On 07/05/2019 01:55 PM, Rowland penny via samba wrote:
>> I currently run tinydns and dnscache on my proxy machine.? I was
>> hoping to keep that going.? I have a Windows Server2004 doing DC work
>> right now.? Need to update that.
>>>
>>> --
>>> Bob Wooldridge
>>>
>> You can run a caching nameserver that forwards your AD dns zones to
>> your AD DC, but you can only use the Samba internal dns server or
>> Bind9 with a Samba AD DC. This is because the dns server must be able
>> to update the records in AD and they are the only two that can.
> Can you point me to some document that explains how caching would work
> with samba's dns in the manor you are suggesting?
>
> --
> Bob Wooldridge
>
We do not have anything in the wiki, but I have been working on
something to add, see the attached file.
It is a bit rough around the edges (I haven't finished it yet), but it
has had minimal testing and is based upon information supplied by
someone who has been doing this for some years.
Rowland
-------------- next part --------------
Setting up Bind as a Caching_Forwarding DNS Server
The following data will be used in the configuration of Bind9
DNS Server: 192.168.0.2
DNS Domain: samdom.example.com
Netmask: 192.168.0.0./24
Samba AD DC's: 192.168.0.4 & 192.168.0.5
External DNS servers: 8.8.8.8 & 8.8.4.4 # Google
Install Bind9
sudo apt-get update
sudo apt-get install bind9 bind9utils
Configure Bind9 as a Caching/forwarding DNS Server
To only use IPv4, you need to modify /etc/default/bind9
OPTIONS="-u bind -4"
Modify /etc/bind/named.conf.options
acl allow_clients {
192.168.0.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { allow_clients; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Modify /etc/bind/named.conf.local
zone "samdom.example.com" {
type forward;
forwarders { 192.168.0.4; 192.168.0.5; };
};
zone "_msdcs.samdom.example.com" {
type forward;
forwarders { 192.168.0.4; 192.168.0.5; };
};
zone "0.168.192.in-addr.arpa" {
type forward;
forwarders { 192.168.0.4; 192.168.0.5; };
};
Test the Configuration
sudo named-checkconf
If there are any syntax errors in the configuration, you will be alerted to the
error and given the line number where it occurs.
If this happens, go back and check the files for errors.
Start Bind9
sudo service bind9 start
Client Machine configuration
Your client machines need to use the caching DNS server for queries and have an
ipaddress in the allowed range, they must also use caching DNS server as their
nameserver.
On a Unix machine, open /etc/resolv.conf and set the caching DNS server as the
first nameserver:
search samdom.example.com
nameserver 192.168.0.2
nameserver 192.168.0.4
nameserver 192.168.0.5
# FIXME add how to set up Windows machines.
Now, you can test to make sure queries can resolve correctly by using some
common tools.
You can use ping to test that connections can be made to domains:
ping -c 1 google.com
PING google.com (216.58.210.46) 56(84) bytes of data.
64 bytes from lhr25s11-in-f46.1e100.net (216.58.210.46): icmp_seq=1 ttl=54
time=27.3 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.383/27.383/27.383/0.000 ms
This means that the client can connect with google.com using the DNS server.
You can get more detailed information by using DNS specific tools like dig. Try
a different domain this time:
dig samba.org
; <<>> DiG 9.10.3-P4-Debian <<>> samba.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4933
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samba.org. IN A
;; ANSWER SECTION:
samba.org. 21599 IN A 144.76.82.156
;; AUTHORITY SECTION:
. 62700 IN NS j.root-servers.net.
. 62700 IN NS f.root-servers.net.
. 62700 IN NS d.root-servers.net.
. 62700 IN NS l.root-servers.net.
. 62700 IN NS c.root-servers.net.
. 62700 IN NS b.root-servers.net.
. 62700 IN NS k.root-servers.net.
. 62700 IN NS e.root-servers.net.
. 62700 IN NS h.root-servers.net.
. 62700 IN NS g.root-servers.net.
. 62700 IN NS i.root-servers.net.
. 62700 IN NS m.root-servers.net.
. 62700 IN NS a.root-servers.net.
;; Query time: 36 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Sun Jun 30 12:27:52 BST 2019
;; MSG SIZE rcvd: 265
You can see that the query took 36 milliseconds. If you make the request again,
the server should pull the data from its cache, decreasing the response time:
dig samba.org
; <<>> DiG 9.10.3-P4-Debian <<>> samba.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samba.org. IN A
;; ANSWER SECTION:
samba.org. 21534 IN A 144.76.82.156
;; AUTHORITY SECTION:
. 62635 IN NS b.root-servers.net.
. 62635 IN NS e.root-servers.net.
. 62635 IN NS l.root-servers.net.
. 62635 IN NS k.root-servers.net.
. 62635 IN NS m.root-servers.net.
. 62635 IN NS h.root-servers.net.
. 62635 IN NS i.root-servers.net.
. 62635 IN NS c.root-servers.net.
. 62635 IN NS g.root-servers.net.
. 62635 IN NS a.root-servers.net.
. 62635 IN NS f.root-servers.net.
. 62635 IN NS j.root-servers.net.
. 62635 IN NS d.root-servers.net.
;; Query time: 0 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Sun Jun 30 12:28:58 BST 2019
;; MSG SIZE rcvd: 265
As you can see, the cached response is significantly faster.
You can also test the reverse lookup by using the IP address that was found
(144.76.82.156 in this case) with dig's -x option:
dig -x 144.76.82.156
; <<>> DiG 9.10.3-P4-Debian <<>> -x 144.76.82.156
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65017
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;156.82.76.144.in-addr.arpa. IN PTR
;; ANSWER SECTION:
156.82.76.144.in-addr.arpa. 21599 IN PTR hr3.samba.org.
;; AUTHORITY SECTION:
. 62578 IN NS l.root-servers.net.
. 62578 IN NS c.root-servers.net.
. 62578 IN NS k.root-servers.net.
. 62578 IN NS e.root-servers.net.
. 62578 IN NS b.root-servers.net.
. 62578 IN NS h.root-servers.net.
. 62578 IN NS j.root-servers.net.
. 62578 IN NS d.root-servers.net.
. 62578 IN NS a.root-servers.net.
. 62578 IN NS i.root-servers.net.
. 62578 IN NS f.root-servers.net.
. 62578 IN NS g.root-servers.net.
. 62578 IN NS m.root-servers.net.
;; Query time: 39 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Sun Jun 30 12:29:55 BST 2019
;; MSG SIZE rcvd: 293
As you can see, the reverse lookup also succeeds.
Now to test the Samba AD dns domain:
dig samdom.example.com
; <<>> DiG 9.10.3-P4-Debian <<>> samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44000
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com. IN A
;; ANSWER SECTION:
samdom.example.com. 900 IN A 192.168.0.4
samdom.example.com. 900 IN A 192.168.0.5
;; AUTHORITY SECTION:
samdom.example.com. 531 IN NS dc4.samdom.example.com.
samdom.example.com. 531 IN NS dc5.samdom.example.com.
;; ADDITIONAL SECTION:
dc4.samdom.example.com. 531 IN A 192.168.0.4
dc5.samdom.example.com. 530 IN A 192.168.0.5
;; Query time: 5 msec
;; SERVER: 192.168.0.277#53(192.168.0.277)
;; WHEN: Sun Jun 30 10:59:09 BST 2019
;; MSG SIZE rcvd: 147
dig _mscds.samdom.example.com
; <<>> DiG 9.10.3-P4-Debian <<>>
_mscds.samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20318
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_mscds.samdom.example.com. IN A
;; AUTHORITY SECTION:
samdom.example.com. 3600 IN SOA dc4.samdom.example.com.
hostmaster.samdom.example.com. 8289 900 600 86400 3600
;; Query time: 5 msec
;; SERVER: 192.168.0.277#53(192.168.0.277)
;; WHEN: Sun Jun 30 11:00:43 BST 2019
;; MSG SIZE rcvd: 105
dig -x 192.168.0.4
; <<>> DiG 9.10.3-P4-Debian <<>> -x 192.168.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;6.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
6.0.168.192.in-addr.arpa. 900 IN PTR dc4.samdom.example.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600 IN NS dc5.samdom.example.com.
;; ADDITIONAL SECTION:
dc5.samdom.example.com. 293 IN A 192.168.0.5
;; Query time: 5 msec
;; SERVER: 192.168.0.277#53(192.168.0.277)
;; WHEN: Sun Jun 30 11:03:06 BST 2019
;; MSG SIZE rcvd: 123