Joachim Lindenberg
2019-Jul-29 16:45 UTC
[Samba] split horizon and authoritative answers..?
I need to implement split horizon DNS, as I have just one external IP address (dynamic.lindenberg.one in external DNS) but multiple internal ones. External requests are distributed by port or using sniproxy (in particular 443), and all externally visible names are in a distinct zone then my domain, but with an additional indirection: names like backup.lindenberg.one resolve to CNAME backup.rot.lindenberg.one, and only backup.rot.lindenberg.one is resolved differently internally/externally. On my old DC (recently upgraded), I was using bind backend and initially had a zone file with the internal resolution (partly generated by a shell script). Later on I figured out that I can also define that zone in AD, and maintain internal names easy with the RSAT DNS tool, and also removed the zone file. Now I also installed a new DC, but used the internal backend. The issue now is, that they resolve differently: joachim at cobra:/etc/bind$ dig backup.lindenberg.one @cobra ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @cobra ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24127 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 9948b558362b92988d15885e5d3f20913d1a914b95ee56eb (good) ;; QUESTION SECTION: ;backup.lindenberg.one. IN A ;; ANSWER SECTION: backup.lindenberg.one. 300 IN CNAME backup.rot.lindenberg.one. backup.rot.lindenberg.one. 3600 IN CNAME alex.samba.lindenberg.one. alex.samba.lindenberg.one. 1200 IN A 192.168.177.5 ;; AUTHORITY SECTION: samba.lindenberg.one. 900 IN NS cobra.samba.lindenberg.one. samba.lindenberg.one. 900 IN NS boa.samba.lindenberg.one. ;; ADDITIONAL SECTION: cobra.samba.lindenberg.one. 900 IN A 192.168.177.19 boa.samba.lindenberg.one. 900 IN A 192.168.177.18 ;; Query time: 22 msec ;; SERVER: 192.168.177.19#53(192.168.177.19) ;; WHEN: Mon Jul 29 18:36:33 CEST 2019 ;; MSG SIZE rcvd: 214 joachim at cobra:/etc/bind$ dig backup.lindenberg.one @boa.samba.lindenberg.one ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> backup.lindenberg.one @boa.samba.lindenberg.one ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63515 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;backup.lindenberg.one. IN A ;; ANSWER SECTION: backup.lindenberg.one. 277 IN CNAME backup.rot.lindenberg.one. backup.rot.lindenberg.one. 277 IN CNAME dynamic.lindenberg.one. dynamic.lindenberg.one. 97 IN A 178.10.20.121 ;; Query time: 1 msec ;; SERVER: 192.168.177.18#53(192.168.177.18) ;; WHEN: Mon Jul 29 18:38:24 CEST 2019 ;; MSG SIZE rcvd: 102 To me it looks like that with bind, the external information for which bind feels authoritative is stripped and replaced by internal information, whereas with internal backend this is not done. But of course this is speculative. The dns forwarder is the same for both. Is my observation correct and maybe also the assumption? If yes, is that behavior as expected? Is bind?s behavior as expected? If all yes, how can I switch to bind? Demote and rejoin? Thanks, Joachim
On 29/07/2019 17:45, Joachim Lindenberg via samba wrote:> I need to implement split horizon DNS, as I have just one external IP address (dynamic.lindenberg.one in external DNS) but multiple internal ones. External requests are distributed by port or using sniproxy (in particular 443), and all externally visible names are in a distinct zone then my domain, but with an additional indirection: names like backup.lindenberg.one resolve to CNAME backup.rot.lindenberg.one, and only backup.rot.lindenberg.one is resolved differently internally/externally. >No, you want to implement split horizon/split brain, but you shouldn't, you should have used a subdomain of your external domain for the AD dns domain. As far as I am aware, you need Windows 2016 to have any chance of something like this working. Rowland
Joachim Lindenberg
2019-Jul-29 21:29 UTC
[Samba] split horizon and authoritative answers..?
All AD domains are subdomains to the external domain. But that doesn?t help to address the issue that the IPs are different externally/internally (and I need IPv4) - or what am I overlooking? Or do you suggest to have a DNS server on the external port 53 that just answers with "here am I" to any request? Internet providers don?t really like port 53 open... It does work with bind, so why Windows 2016? Are you referring to the AD level or to the specific implementation? Thanks, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland penny via samba Gesendet: Monday, 29 July 2019 20:17 An: samba at lists.samba.org Betreff: Re: [Samba] split horizon and authoritative answers..? On 29/07/2019 17:45, Joachim Lindenberg via samba wrote:> I need to implement split horizon DNS, as I have just one external IP address (dynamic.lindenberg.one in external DNS) but multiple internal ones. External requests are distributed by port or using sniproxy (in particular 443), and all externally visible names are in a distinct zone then my domain, but with an additional indirection: names like backup.lindenberg.one resolve to CNAME backup.rot.lindenberg.one, and only backup.rot.lindenberg.one is resolved differently internally/externally. >No, you want to implement split horizon/split brain, but you shouldn't, you should have used a subdomain of your external domain for the AD dns domain. As far as I am aware, you need Windows 2016 to have any chance of something like this working. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hai,
Have you ever tried this with a systemd networking setup.
I suggest you try this, this at least helped me with some split dns issues.
Below shows how i did it.
Configure you network with system, the configs..
#/etc/systemd/network/lan-dev.network
#
# Configure global settings in /etc/systemd/*.conf
#
# Dont forget : rm /etc/resolv.conf && ln -s
/run/systemd/resolve/resolv.conf /etc/resolv.conf
# ( Optional, you can use static resolv.conf also )
#
# Config below disables ipv6
[Match]
Name=eth0
[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
# we want NTP synced with AD-DC's
# ip, hostname or cnames are allowed here.
NTP=IP-AD-DC1 AD-DC-IP2
#
DNS=IP1 IP2
#
Domains=primary.dnsdomain.tld alias.domain.tld domain.tld
# Optional extra IP
#Address=IP/mask
# optional set extra gateway for this interface
#Gateway=x.x.x.x/x
# Optional set extra routes.
#[Route]
#Destination=y.y.y.y/y
#Gateway=y.y.y.y
Interface 2 :
/etc/systemd/network/wan-dev.network
[Match]
Name=eth1
[Network]
DHCP=no
DNSSEC=allow-downgrade
LLMNR=no
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
DNS=IP_INTERNET_DNS1 IP_INTERNET_DNS1
Domains=internetDomain.tld
# IPv4 gateway and primary address.
Address=X.X.X.X/XX
Gateway=X.X.X.X
#[Route]
#Destination=x.x.x.x/x
#Gateway=x.x.x.x
Now, traffice on wan, will use the internet DNS and lan DNS on Lan.
CLIENT requests are determined by /etc/resolv.conf
If you have requests from you server itself, then setup a caching dns server.
And add forwarding zones and point the first nameserver in resolv.conf to
localhost.
Something like this, you need bind9 for this example.
//
// Lan zones point to AD-DC DNS.
//
zone "ad-zone.dnsdomain.tld" {
type forward;
forward only;
forwarders { IP_DC1; IP_DC2; };
};
// change the XXX to your reverse ip range
zone "XXX.XXX.in-addr.arpa" {
type forward;
forward only;
forwarders { IP_DC1; IP_DC2; };
};
Ps. If you using Debian Buster or bind 9.11+
You might need more changes.
If thats that case mail again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Joachim Lindenberg via samba
> Verzonden: maandag 29 juli 2019 18:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] split horizon and authoritative answers..?
>
> I need to implement split horizon DNS, as I have just one
> external IP address (dynamic.lindenberg.one in external DNS)
> but multiple internal ones. External requests are distributed
> by port or using sniproxy (in particular 443), and all
> externally visible names are in a distinct zone then my
> domain, but with an additional indirection: names like
> backup.lindenberg.one resolve to CNAME
> backup.rot.lindenberg.one, and only backup.rot.lindenberg.one
> is resolved differently internally/externally.
>
> On my old DC (recently upgraded), I was using bind backend
> and initially had a zone file with the internal resolution
> (partly generated by a shell script). Later on I figured out
> that I can also define that zone in AD, and maintain internal
> names easy with the RSAT DNS tool, and also removed the zone file.
>
> Now I also installed a new DC, but used the internal backend.
> The issue now is, that they resolve differently:
>
>
>
> joachim at cobra:/etc/bind$ dig backup.lindenberg.one @cobra
>
>
>
> ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>>
backup.lindenberg.one @cobra
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24127
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ; COOKIE: 9948b558362b92988d15885e5d3f20913d1a914b95ee56eb (good)
>
> ;; QUESTION SECTION:
>
> ;backup.lindenberg.one. IN A
>
>
>
> ;; ANSWER SECTION:
>
> backup.lindenberg.one. 300 IN CNAME
> backup.rot.lindenberg.one.
>
> backup.rot.lindenberg.one. 3600 IN CNAME
> alex.samba.lindenberg.one.
>
> alex.samba.lindenberg.one. 1200 IN A 192.168.177.5
>
>
>
> ;; AUTHORITY SECTION:
>
> samba.lindenberg.one. 900 IN NS
> cobra.samba.lindenberg.one.
>
> samba.lindenberg.one. 900 IN NS
> boa.samba.lindenberg.one.
>
>
>
> ;; ADDITIONAL SECTION:
>
> cobra.samba.lindenberg.one. 900 IN A 192.168.177.19
>
> boa.samba.lindenberg.one. 900 IN A 192.168.177.18
>
>
>
> ;; Query time: 22 msec
>
> ;; SERVER: 192.168.177.19#53(192.168.177.19)
>
> ;; WHEN: Mon Jul 29 18:36:33 CEST 2019
>
> ;; MSG SIZE rcvd: 214
>
>
>
> joachim at cobra:/etc/bind$ dig backup.lindenberg.one
> @boa.samba.lindenberg.one
>
>
>
> ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>>
> backup.lindenberg.one @boa.samba.lindenberg.one
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63515
>
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
> ADDITIONAL: 0
>
>
>
> ;; QUESTION SECTION:
>
> ;backup.lindenberg.one. IN A
>
>
>
> ;; ANSWER SECTION:
>
> backup.lindenberg.one. 277 IN CNAME
> backup.rot.lindenberg.one.
>
> backup.rot.lindenberg.one. 277 IN CNAME
> dynamic.lindenberg.one.
>
> dynamic.lindenberg.one. 97 IN A 178.10.20.121
>
>
>
> ;; Query time: 1 msec
>
> ;; SERVER: 192.168.177.18#53(192.168.177.18)
>
> ;; WHEN: Mon Jul 29 18:38:24 CEST 2019
>
> ;; MSG SIZE rcvd: 102
>
>
>
> To me it looks like that with bind, the external information
> for which bind feels authoritative is stripped and replaced
> by internal information, whereas with internal backend this
> is not done. But of course this is speculative.
>
> The dns forwarder is the same for both.
>
>
>
> Is my observation correct and maybe also the assumption? If
> yes, is that behavior as expected? Is bind?s behavior as
> expected? If all yes, how can I switch to bind? Demote and rejoin?
>
>
>
> Thanks, Joachim
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Joachim Lindenberg
2019-Jul-30 08:44 UTC
[Samba] split horizon and authoritative answers..?
Hai Louis,
unfortunately I think that?s not really an option. My DCs are not running on the
firewall but as a virtual machine, and thus I don?t really see an option for
multiple interfaces.. and also I don?t really want to open port 53 externally.
But I just switched the DNS backend of my 2nd DC from internal to bind, and with
that split horizon works as I already indicated in my first mail.
What I am struggling with though is inappropriate out-of-the-box apparmor
configuration. I resorted to aa-complain /usr/sbin/named...
any chance that this is going to be improved?
Thanks, Joachim
-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von L.P.H. van
Belle via samba
Gesendet: Tuesday, 30 July 2019 09:53
An: samba at lists.samba.org
Betreff: Re: [Samba] split horizon and authoritative answers..?
Hai,
Have you ever tried this with a systemd networking setup.
I suggest you try this, this at least helped me with some split dns issues.
Below shows how i did it.
Configure you network with system, the configs..
#/etc/systemd/network/lan-dev.network
#
# Configure global settings in /etc/systemd/*.conf # # Dont forget : rm
/etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf
/etc/resolv.conf # ( Optional, you can use static resolv.conf also ) # # Config
below disables ipv6
[Match]
Name=eth0
[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
# we want NTP synced with AD-DC's
# ip, hostname or cnames are allowed here.
NTP=IP-AD-DC1 AD-DC-IP2
#
DNS=IP1 IP2
#
Domains=primary.dnsdomain.tld alias.domain.tld domain.tld
# Optional extra IP
#Address=IP/mask
# optional set extra gateway for this interface #Gateway=x.x.x.x/x
# Optional set extra routes.
#[Route]
#Destination=y.y.y.y/y
#Gateway=y.y.y.y
Interface 2 :
/etc/systemd/network/wan-dev.network
[Match]
Name=eth1
[Network]
DHCP=no
DNSSEC=allow-downgrade
LLMNR=no
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
DNS=IP_INTERNET_DNS1 IP_INTERNET_DNS1
Domains=internetDomain.tld
# IPv4 gateway and primary address.
Address=X.X.X.X/XX
Gateway=X.X.X.X
#[Route]
#Destination=x.x.x.x/x
#Gateway=x.x.x.x
Now, traffice on wan, will use the internet DNS and lan DNS on Lan.
CLIENT requests are determined by /etc/resolv.conf If you have requests from you
server itself, then setup a caching dns server.
And add forwarding zones and point the first nameserver in resolv.conf to
localhost.
Something like this, you need bind9 for this example.
//
// Lan zones point to AD-DC DNS.
//
zone "ad-zone.dnsdomain.tld" {
type forward;
forward only;
forwarders { IP_DC1; IP_DC2; };
};
// change the XXX to your reverse ip range zone "XXX.XXX.in-addr.arpa"
{
type forward;
forward only;
forwarders { IP_DC1; IP_DC2; };
};
Ps. If you using Debian Buster or bind 9.11+ You might need more changes.
If thats that case mail again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Joachim Lindenberg via samba
> Verzonden: maandag 29 juli 2019 18:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] split horizon and authoritative answers..?
>
> I need to implement split horizon DNS, as I have just one
> external IP address (dynamic.lindenberg.one in external DNS)
> but multiple internal ones. External requests are distributed
> by port or using sniproxy (in particular 443), and all
> externally visible names are in a distinct zone then my
> domain, but with an additional indirection: names like
> backup.lindenberg.one resolve to CNAME
> backup.rot.lindenberg.one, and only backup.rot.lindenberg.one
> is resolved differently internally/externally.
>
> On my old DC (recently upgraded), I was using bind backend
> and initially had a zone file with the internal resolution
> (partly generated by a shell script). Later on I figured out
> that I can also define that zone in AD, and maintain internal
> names easy with the RSAT DNS tool, and also removed the zone file.
>
> Now I also installed a new DC, but used the internal backend.
> The issue now is, that they resolve differently:
>
>
>
> joachim at cobra:/etc/bind$ dig backup.lindenberg.one @cobra
>
>
>
> ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>>
backup.lindenberg.one @cobra
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24127
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ; COOKIE: 9948b558362b92988d15885e5d3f20913d1a914b95ee56eb (good)
>
> ;; QUESTION SECTION:
>
> ;backup.lindenberg.one. IN A
>
>
>
> ;; ANSWER SECTION:
>
> backup.lindenberg.one. 300 IN CNAME
> backup.rot.lindenberg.one.
>
> backup.rot.lindenberg.one. 3600 IN CNAME
> alex.samba.lindenberg.one.
>
> alex.samba.lindenberg.one. 1200 IN A 192.168.177.5
>
>
>
> ;; AUTHORITY SECTION:
>
> samba.lindenberg.one. 900 IN NS
> cobra.samba.lindenberg.one.
>
> samba.lindenberg.one. 900 IN NS
> boa.samba.lindenberg.one.
>
>
>
> ;; ADDITIONAL SECTION:
>
> cobra.samba.lindenberg.one. 900 IN A 192.168.177.19
>
> boa.samba.lindenberg.one. 900 IN A 192.168.177.18
>
>
>
> ;; Query time: 22 msec
>
> ;; SERVER: 192.168.177.19#53(192.168.177.19)
>
> ;; WHEN: Mon Jul 29 18:36:33 CEST 2019
>
> ;; MSG SIZE rcvd: 214
>
>
>
> joachim at cobra:/etc/bind$ dig backup.lindenberg.one
> @boa.samba.lindenberg.one
>
>
>
> ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>>
> backup.lindenberg.one @boa.samba.lindenberg.one
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63515
>
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
> ADDITIONAL: 0
>
>
>
> ;; QUESTION SECTION:
>
> ;backup.lindenberg.one. IN A
>
>
>
> ;; ANSWER SECTION:
>
> backup.lindenberg.one. 277 IN CNAME
> backup.rot.lindenberg.one.
>
> backup.rot.lindenberg.one. 277 IN CNAME
> dynamic.lindenberg.one.
>
> dynamic.lindenberg.one. 97 IN A 178.10.20.121
>
>
>
> ;; Query time: 1 msec
>
> ;; SERVER: 192.168.177.18#53(192.168.177.18)
>
> ;; WHEN: Mon Jul 29 18:38:24 CEST 2019
>
> ;; MSG SIZE rcvd: 102
>
>
>
> To me it looks like that with bind, the external information
> for which bind feels authoritative is stripped and replaced
> by internal information, whereas with internal backend this
> is not done. But of course this is speculative.
>
> The dns forwarder is the same for both.
>
>
>
> Is my observation correct and maybe also the assumption? If
> yes, is that behavior as expected? Is bind?s behavior as
> expected? If all yes, how can I switch to bind? Demote and rejoin?
>
>
>
> Thanks, Joachim
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ah, ok, my thats where its different here. My setup is AD-DNS => eth0 Server_split_DNS (Proxy) eth1 => internet> -----Oorspronkelijk bericht----- > Van: Joachim Lindenberg [mailto:samba at lindenberg.one] > Verzonden: dinsdag 30 juli 2019 10:44 > Aan: 'L.P.H. van Belle'; samba at lists.samba.org > Onderwerp: AW: [Samba] split horizon and authoritative answers..? > > Hai Louis, > unfortunately I think that?s not really an option. My DCs are > not running on the firewall but as a virtual machine, and > thus I don?t really see an option for multiple interfaces..Nope, then thats not needed.> and also I don?t really want to open port 53 externally.For that there are firewalls. ;-)> But I just switched the DNS backend of my 2nd DC from > internal to bind, and with that split horizon works as I > already indicated in my first mail.Ah, i missed that.> What I am struggling with though is inappropriate > out-of-the-box apparmor configuration. I resorted to > aa-complain /usr/sbin/named...Samba version? And what did you change exactly.> any chance that this is going to be improved?If i know what,i then i can tell.> Thanks, JoachimGreetz, Louis