Hello everyone, I'm trying to come up with the ideal DNS server configuration in consideration with Samba AD DC. The Samba wiki [1] says:> For high traffic environments, it is not recommended to useBIND9_DLZ-backed samba as a primary DNS server. Instead, use an external server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node. Obviously running BIND9_DLZ is more complex than leveraging Samba's built-in DNS server. Why bother with BIND9_DLZ, if it is recommended to run a separate DNS server and forward the AD zone to a DC anyway? What benefit does use BIND9_DLZ provide? Backstory: We used to use Unbound on our pfSense gateway exclusively for DNS. When we provisioned our domain, we pointed clients at the Samba DCs (running the built-in DNS server) for DNS. Samba was configured to forward directly to Google Public DNS, but the latency was poor, as there was no caching on our end anymore. So we instead forwarded Samba to the old Unbound DNS servers for internet DNS. There are various poblems with this setup, namely that Samba doesn't support "conditional forwarders" [2] so we handle that in Unbound. Is the right answer (still) to set up separate DNS servers (like BIND or PowerDNS) and forward the AD zone to Samba? What about dynamic DNS for non-domain-joined DHCP clients? Their names can't be trusted in the same zone as the AD domain, so I want the DHCP server to register them somewhere else. Can Samba DNS handle that zone or should that be handled by BIND/PowerDNS? Looking to hear about some of the configurations in use by people here. Thank you, Jonathon Reinhart [1]: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture [2]: https://lists.samba.org/archive/samba/2018-December/219978.html
Hello Jonathan, good questions, throwing in my cents.. "ideal .. configuration" - I guess it really depends on what you want to do and scale of the network. Mine is small (roundabout two dozen machines), nevertheless I am running two DCs for availability reasons. When I started that journey, nobody on the list really recommended Samba?s internal backend in a multi-DC, and for that reason I am using BIND9_DLZ. Initially I also used bind to serve another local domain, but ultimately figured out it is easier to maintain it in the directory as yet another DNS zone. Thus if there were a clear statement from Samba team, that internal backend is fine with multiple DCs, then I could get rid of bind. Ultimately the question is what scenarios are subject to https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Introduction "that the Samba internal DNS server does not support." - this statement is unclear and thus bind9 is probably the goto solution. Upstream I am running a pi-hole and then DNS-over-TLS to Cloudflare. Now as pi-hole is based on dnsmasq I could also use that as the main entry point for clients and just delegate local zones to Samba. But as windows clients are supposed to update their (potentially dynamic) addresses I just don?t know whether this I supposed to work. The error messages suggest they expect the DNS servers to react to updates. If it were clear they talk to any of the authoritative servers of the zone, then I?d feel much better with that approach. Best Regards, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jonathon Reinhart via samba Gesendet: Mittwoch, 20. Mai 2020 04:16 An: samba <samba at lists.samba.org> Betreff: [Samba] Samba DC and DNS best practices Hello everyone, I'm trying to come up with the ideal DNS server configuration in consideration with Samba AD DC. The Samba wiki [1] says:> For high traffic environments, it is not recommended to useBIND9_DLZ-backed samba as a primary DNS server. Instead, use an external server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node. Obviously running BIND9_DLZ is more complex than leveraging Samba's built-in DNS server. Why bother with BIND9_DLZ, if it is recommended to run a separate DNS server and forward the AD zone to a DC anyway? What benefit does use BIND9_DLZ provide? Backstory: We used to use Unbound on our pfSense gateway exclusively for DNS. When we provisioned our domain, we pointed clients at the Samba DCs (running the built-in DNS server) for DNS. Samba was configured to forward directly to Google Public DNS, but the latency was poor, as there was no caching on our end anymore. So we instead forwarded Samba to the old Unbound DNS servers for internet DNS. There are various poblems with this setup, namely that Samba doesn't support "conditional forwarders" [2] so we handle that in Unbound. Is the right answer (still) to set up separate DNS servers (like BIND or PowerDNS) and forward the AD zone to Samba? What about dynamic DNS for non-domain-joined DHCP clients? Their names can't be trusted in the same zone as the AD domain, so I want the DHCP server to register them somewhere else. Can Samba DNS handle that zone or should that be handled by BIND/PowerDNS? Looking to hear about some of the configurations in use by people here. Thank you, Jonathon Reinhart [1]: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architec ture [2]: https://lists.samba.org/archive/samba/2018-December/219978.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, 2020-05-19 at 22:16 -0400, Jonathon Reinhart via samba wrote:> Hello everyone, > > I'm trying to come up with the ideal DNS server configuration in > consideration with Samba AD DC. > > The Samba wiki [1] says: > > > For high traffic environments, it is not recommended to use > > BIND9_DLZ-backed samba as a primary DNS server. Instead, use an > external > server that only forwards queries to BIND9_DLZ-backed samba DNS > installations when the query is addressed to a zone managed by that > node. > > Obviously running BIND9_DLZ is more complex than leveraging Samba's > built-in DNS server. Why bother with BIND9_DLZ, if it is recommended > to run > a separate DNS server and forward the AD zone to a DC anyway? What > benefit > does use BIND9_DLZ provide?That has multiple answers: - Orginally BIND9_DLZ was the only option, we didn't want to write a DNS server (that sounded complex) so we used that one. - Others on the team wanted to have Samba be an 'out of the box' solution and 'how hard can it be anyway'. It turns out quite hard, but it does mean we can control everything. Before we hit that performance issue the thinking was - internal to get going fast, small installations - BIND9_DLZ for large installs were using a 'proper' DNS server would help However then we found that the typical install just hammered the DB checking if maybe we had added google.com as a zone in the past few milliseconds, while blocking every thread and not doing any recursive queries.> > Backstory: > > We used to use Unbound on our pfSense gateway exclusively for DNS. > When we > provisioned our domain, we pointed clients at the Samba DCs (running > the > built-in DNS server) for DNS. Samba was configured to forward > directly to > Google Public DNS, but the latency was poor, as there was no caching > on our > end anymore. So we instead forwarded Samba to the old Unbound DNS > servers > for internet DNS. > > There are various poblems with this setup, namely that Samba doesn't > support "conditional forwarders" [2] so we handle that in Unbound. > > Is the right answer (still) to set up separate DNS servers (like BIND > or > PowerDNS) and forward the AD zone to Samba?Yes.> What about dynamic DNS for non-domain-joined DHCP clients? Their > names > can't be trusted in the same zone as the AD domain, so I want the > DHCP > server to register them somewhere else. Can Samba DNS handle that > zone or > should that be handled by BIND/PowerDNS?They should ask for the SOA and do the update. They don't need to point directly to the Samba DNS server for that. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba