samba - May 2020 - Samba and DNS backend question

I had configured Samba AD's with Bind9_DLZ in all DC. But for some reason
(i couldn't determine) three (sambadc02,03,04) AD's responded very
slowly
. So change to Samba_Internal backend into the servers with problem and
works fine.

sambadc01 -> with FSMO roles - Bind9_DLZ
sambadc02 -> Samba_Internal
sambadc03 -> Samba_Internal
sambadc04 -> Samba_Internal

My question is: ?The DNS backend can be different between Ad's? ?can affect
the performance?

Saludos.
---
Miguel Coa M.

On 15/05/2020 13:37, Miguel Angel Coa M. via samba
wrote:
> I had configured Samba AD's with Bind9_DLZ in all DC. But for some
reason
> (i couldn't determine) three (sambadc02,03,04) AD's responded very
slowly
> . So change to Samba_Internal backend into the servers with problem and
> works fine.
>
> sambadc01 -> with FSMO roles - Bind9_DLZ
> sambadc02 -> Samba_Internal
> sambadc03 -> Samba_Internal
> sambadc04 -> Samba_Internal
>
> My question is: ?The DNS backend can be different between Ad's? ?can
affect
> the performance?
>
> Saludos.
> ---
> Miguel Coa M.
It shouldn't matter what dns backend you use, they both work on the same 
records in AD. Whilst Bind9 might be slightly slower (milliseconds), it 
shouldn't? be noticeable, perhaps if you post your named.conf files and 
tell us your OS, we may be able to help.

Rowland

Hi Rowland,
1. Thanks for you clarification ;)
2. About, my old DLZ configuration is:

Versions: bind-9.11 -  S.O Centos 7.8

This was the sambadc04 with the old bind dlz backend .

[..........]
[root at sambadc04 ~]# cat /etc/sysconfig/named |grep -v '^#'
NAMED_RUN_CHROOTED="no"
OPTIONS="-4"
[..........]

The /etc/named.conf
[..........]
acl "trusted" {
    192.168.0.0/16;
    10.0.0.0/8;
    localhost;
};

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file  "/var/named/data/named.recursing";
secroots-file   "/var/named/data/named.secroots";

dnssec-enable no;
dnssec-validation no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
minimal-responses yes;
session-keyfile "/run/named/session.key";
forwarders { 10.13.252.150; 10.13.252.152; };
recursion yes;
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { trusted; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
//Enable Log
channel querylog{
             file "/var/log/named/querylog";
             severity debug 10;
             print-category yes;
             print-time yes;
             print-severity yes;
             };
     category queries { querylog;};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
[..........]

The content "/usr/local/samba/private/named.conf"

[..........]
[root at sambadc01 ~]# cat /usr/local/samba/private/named.conf |egrep -v
'^#|
  #'
dlz "AD DNS Zone" {
     database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
};
[..........]


The server sambadc01 (works with bind dlz backend)

[..........]
[root at sambadc01 ~]# cat /etc/named.conf

acl "trusted" {
    192.168.0.0/16;
    10.0.0.0/8;
    localhost;
};

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file  "/var/named/data/named.recursing";
secroots-file   "/var/named/data/named.secroots";

dnssec-enable no;
dnssec-validation no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
minimal-responses yes;
session-keyfile "/run/named/session.key";
forwarders { 10.13.252.150; 10.13.252.152; };
recursion yes;
allow-recursion { trusted; };
    allow-query-cache { trusted; };
allow-transfer { trusted; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };

channel querylog{
             file "/var/log/named/querylog";
             severity debug 10;
             print-category yes;
             print-time yes;
             print-severity yes;
             };
     category queries { querylog;};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";

[..........]


I dont have selinux and firewall active

Thanks.
Saludos.
---
Miguel Coa M.


El vie., 15 may. 2020 a las 8:43, Rowland penny via samba (<
samba at lists.samba.org>) escribi?:
> On 15/05/2020 13:37, Miguel Angel Coa M. via samba wrote:
> > I had configured Samba AD's with Bind9_DLZ in all DC. But for some
reason
> > (i couldn't determine) three (sambadc02,03,04) AD's responded
very slowly
> > . So change to Samba_Internal backend into the servers with problem
and
> > works fine.
> >
> > sambadc01 -> with FSMO roles - Bind9_DLZ
> > sambadc02 -> Samba_Internal
> > sambadc03 -> Samba_Internal
> > sambadc04 -> Samba_Internal
> >
> > My question is: ?The DNS backend can be different between Ad's?
?can
> affect
> > the performance?
> >
> > Saludos.
> > ---
> > Miguel Coa M.
>
> It shouldn't matter what dns backend you use, they both work on the
same
> records in AD. Whilst Bind9 might be slightly slower (milliseconds), it
> shouldn't  be noticeable, perhaps if you post your named.conf files and
> tell us your OS, we may be able to help.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>