samba - Sep 2020 - help again with dns and samba 4 ad

That mean for example if my domain resolve

                xxxxx.testing.mydomain.com

the dnsmasq should NOT resolv  xxxxxx.mydomain.com this is in ascending way
?

Another way to expose:
We set dnsmasq+dhcp to set clients that the only DNS server is samba DC on
the domain name mysubdomain.mydomain.com

DC for example resolv  server1.mysubdomain.mydomain.com right, now if a
client as for a ddddd.mydomain.com DC response or ask to dnamasq fot that
or produce a horrible loop that you mentioned?

Regards












El mi?., 2 sept. 2020 a las 11:53, Nick Howitt via samba (<
samba at lists.samba.org>) escribi?:
> On 02/09/2020 15:48, Rowland penny via samba wrote:
> >
> > On 02/09/2020 15:42, Nick Howitt via samba wrote:
> >> Or set dnsmasq as the primary DNS server, but include a line in
your
> >> dnsmasq config:
> >> server=/your.dc.domain/your.dc.ip
> >
> > Don't do that. To be honest, I wouldn't use dnsmasq at all,
but if I
> > had to, I wouldn't do that ;-)
> >
> > Rowland
> >
> >
> >
> Curious about the reason? It means the DC looks after all the lookups
> for the LAN domain and dnsmasq looks after the rest. What you shouldn't
> then do is make the DC use dnsmasq as its upstream resolver or you can
> get into a horrible loop.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 02/09/2020 16:15, jmpatagonia via samba wrote:
> That mean for example if my domain resolve
>
>                  xxxxx.testing.mydomain.com
>
> the dnsmasq should NOT resolv  xxxxxx.mydomain.com this is in ascending way
> ?
>
> Another way to expose:
> We set dnsmasq+dhcp to set clients that the only DNS server is samba DC on
> the domain name mysubdomain.mydomain.com
>
> DC for example resolv  server1.mysubdomain.mydomain.com right, now if a
> client as for a ddddd.mydomain.com DC response or ask to dnamasq fot that
> or produce a horrible loop that you mentioned?
>
> Regards
OK, if your dnsmasq server is in the 'mydomain.com' dns domain, and your
DC was in the 'ad.mydomain.com', this would be okay. This would your 
allow your domain clients (winpc.ad.mydomain.com, for instance) to ask 
the DC for the dns data for 'another-winpc.ad.mydomain.com' and the DC 
would reply with the data. However, if 'winpc' asked for the data for 
'yetanother-winpc.mydomain.com', then the DC should realise 'I do
not
know this' and ask the dnsmasq server.

Rowland

I shouldn't advise on this any more if Rowland says not to do it.

If you AD domain is ad.mydomain.com and you have a line:

server=/ad.mydomain.com/192.168.x.y (AD DC Server's IP)

and the samba AD then uses dnsmasq fo an upstream resolver, if you try 
to resolve something.ad.mydomain.com, dnsmasq will hand over the lookup 
to samba. If samba does no know about it, it can query the upstream 
resolver. If that is dnsmasq, it will hand to lookup back to AD which 
does not know it and so will hand it back to dnsmasq and it will go 
round in circles until it times out.

On 02/09/2020 16:15, jmpatagonia via samba wrote:
> 
> That mean for example if my domain resolve
> 
>                  xxxxx.testing.mydomain.com
> 
> the dnsmasq should NOT resolv  xxxxxx.mydomain.com this is in ascending way
> ?
> 
> Another way to expose:
> We set dnsmasq+dhcp to set clients that the only DNS server is samba DC on
> the domain name mysubdomain.mydomain.com
> 
> DC for example resolv  server1.mysubdomain.mydomain.com right, now if a
> client as for a ddddd.mydomain.com DC response or ask to dnamasq fot that
> or produce a horrible loop that you mentioned?
> 
> Regards
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> El mi?., 2 sept. 2020 a las 11:53, Nick Howitt via samba (<
> samba at lists.samba.org>) escribi?:
> 
>> On 02/09/2020 15:48, Rowland penny via samba wrote:
>>>
>>> On 02/09/2020 15:42, Nick Howitt via samba wrote:
>>>> Or set dnsmasq as the primary DNS server, but include a line in
your
>>>> dnsmasq config:
>>>> server=/your.dc.domain/your.dc.ip
>>>
>>> Don't do that. To be honest, I wouldn't use dnsmasq at all,
but if I
>>> had to, I wouldn't do that ;-)
>>>
>>> Rowland
>>>
>>>
>>>
>> Curious about the reason? It means the DC looks after all the lookups
>> for the LAN domain and dnsmasq looks after the rest. What you
shouldn't
>> then do is make the DC use dnsmasq as its upstream resolver or you can
>> get into a horrible loop.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

On 02/09/2020 16:28, Rowland penny via samba wrote:
> 
> On 02/09/2020 16:15, jmpatagonia via samba wrote:
>> That mean for example if my domain resolve
>>
>> ???????????????? xxxxx.testing.mydomain.com
>>
>> the dnsmasq should NOT resolv? xxxxxx.mydomain.com this is in 
>> ascending way
>> ?
>>
>> Another way to expose:
>> We set dnsmasq+dhcp to set clients that the only DNS server is samba 
>> DC on
>> the domain name mysubdomain.mydomain.com
>>
>> DC for example resolv? server1.mysubdomain.mydomain.com right, now if a
>> client as for a ddddd.mydomain.com DC response or ask to dnamasq fot
that
>> or produce a horrible loop that you mentioned?
>>
>> Regards
> 
> OK, if your dnsmasq server is in the 'mydomain.com' dns domain, and
your
> DC was in the 'ad.mydomain.com', this would be okay. This would
your
> allow your domain clients (winpc.ad.mydomain.com, for instance) to ask 
> the DC for the dns data for 'another-winpc.ad.mydomain.com' and the
DC
> would reply with the data. However, if 'winpc' asked for the data
for
> 'yetanother-winpc.mydomain.com', then the DC should realise 'I
do not
> know this' and ask the dnsmasq server.
> 
> Rowland
> 
> 
> 
In your case the lookup for yetanother-winpc.mydomain.com shouldn't even 
hit the DC as dnsmasq will handle it directly as all lookups go via it. 
The problem comes if the DC ever needs dnsmasq to return any lookups. 
This will risk a loop as in the other part of the thread.