vincent at cojot.name
2022-Apr-25 23:28 UTC
[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ
Hi all,
I have a small isolated 'island' made of two Samba AD/DC VMs. It works
fine but is not really fault-tolerant (if one hypervisor crashes, every
Windows client will time out for 50% of DNS requests.
I was trying to setup my bind infra as DNS 'slaves' of the AD/DC zones
but
I'm struggling to make it work. I suspect this might be related to having
to list my bind DNS servers as authoritative 'NS' servers for my AD DC
zones.. Here's what I have:
On a RHEL8 bind DNS server, I have declarations such as:
zone "_msdcs.ad.lasthome.solace.krynn" IN {
type slave;
masters { 10.0.131.248; 10.0.131.249; };
notify yes;
file "zonedb/named.KRYNN_AD._msdcs";
allow-transfer { any; };
allow-query { any; };
};
(and the same kind of declaration for _sites, _tcp, _udp...)
On my samba, AD/DC servers, I made sure to have:
allow-transfer { any; };
Alas, on the BIND9 dns servers, I see this:
25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
'_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer
status: REFUSED
25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
'_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer
completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
This can be matched to these logs on the Samba AD/DC servers:
25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0
10.0.128.242#12714: received notify for zone
'_msdcs.ad.lasthome.solace.krynn': not authoritative
so communication works but dc01 refuses the zone transfer because it is
coming from a server which is not authoritative:
Sure enough, when querying the SOA for any of these sub-domains, only my
AD/DC servers are listed:
# dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn
[...]
;; AUTHORITY SECTION:
_msdcs.ad.lasthome.solace.krynn. 900 IN NS dc01.ad.lasthome.solace.krynn.
_msdcs.ad.lasthome.solace.krynn. 900 IN NS dc00.ad.lasthome.solace.krynn.
So I have a few questions:
- How do I add my bind servers as 'proper' authoritative NS servers for
the DNS zones hosted on my AD/DC bind servers. What is the proper way to
do this? I tried using RSAT/DNS manager and enabling 'Bind secondaries'
but this did not work with Samba AD/DC.
- Is it a Bad idea to do this (add bind servers as authoritative DNS
servers to my AD zones)? Might it break something in the future?
All comments/ideas needed.
Thank you,
Vincent
Rowland Penny
2022-May-04 09:17 UTC
[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ
On Mon, 2022-04-25 at 19:28 -0400, Vincent S. Cojot via samba wrote:> Hi all, > > I have a small isolated 'island' made of two Samba AD/DC VMs. It > works > fine but is not really fault-tolerant (if one hypervisor crashes, > every > Windows client will time out for 50% of DNS requests. > > I was trying to setup my bind infra as DNS 'slaves' of the AD/DC > zones but > I'm struggling to make it work. I suspect this might be related to > having > to list my bind DNS servers as authoritative 'NS' servers for my AD > DC > zones.. Here's what I have: > > On a RHEL8 bind DNS server, I have declarations such as: > zone "_msdcs.ad.lasthome.solace.krynn" IN { > type slave; > masters { 10.0.131.248; 10.0.131.249; }; > notify yes; > file "zonedb/named.KRYNN_AD._msdcs"; > allow-transfer { any; }; > allow-query { any; }; > }; > (and the same kind of declaration for _sites, _tcp, _udp...) > > On my samba, AD/DC servers, I made sure to have: > allow-transfer { any; }; > > Alas, on the BIND9 dns servers, I see this: > 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of > '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer > status: REFUSED > 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of > '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer > completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) > > This can be matched to these logs on the Samba AD/DC servers: > 25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0 > 10.0.128.242#12714: received notify for zone > '_msdcs.ad.lasthome.solace.krynn': not authoritative > > so communication works but dc01 refuses the zone transfer because it > is > coming from a server which is not authoritative: > > Sure enough, when querying the SOA for any of these sub-domains, only > my > AD/DC servers are listed: > > # dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn > [...] > ;; AUTHORITY SECTION: > _msdcs.ad.lasthome.solace.krynn. 900 IN > NS dc01.ad.lasthome.solace.krynn. > _msdcs.ad.lasthome.solace.krynn. 900 IN > NS dc00.ad.lasthome.solace.krynn. > > So I have a few questions: > > - How do I add my bind servers as 'proper' authoritative NS servers > for > the DNS zones hosted on my AD/DC bind servers. What is the proper way > to > do this? I tried using RSAT/DNS manager and enabling 'Bind > secondaries' > but this did not work with Samba AD/DC. > > - Is it a Bad idea to do this (add bind servers as authoritative DNS > servers to my AD zones)? Might it break something in the future? > > All comments/ideas needed. > > Thank you, > > VincentSorry to be late in replying, but you need 4 things: To be running Samba >= 4.15.0 On the DC with the PDC_Emulator FSMO role, you have 'dns zone transfer clients allow = IP_OF_THE_SLAVE_DNS_SERVER' in the smb.conf The DC is running a Bind9 dns server with 'allow-transfer { IP_OF_THE_SLAVE_DNS_SERVER; };' in /etc/bind/named.conf.options Your zones in /etc/bind/named.conf.local , similar to these zone "ad.lasthome.solace.krynn" IN { type slave; file "/var/cache/bind/named.KRYNN_AD"; masters { 10.0.131.248; }; }; zone "_msdcs.ad.lasthome.solace.krynn" IN { type slave; file "/var/cache/bind/named.KRYNN_AD._msdcs"; masters { 10.0.131.248; }; }; zone "0.131.10.in-addr.arpa" IN { type slave; file "/var/cache/bind/reverse.KRYNN_AD"; masters { 10.0.131.248; }; }; Where '10.0.131.248' is the IP of the DC with the PDC_Emulator FSMO role. It may work with multiple DC's but I haven't tested it. Rowland
L.P.H. van Belle
2022-May-04 10:26 UTC
[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ
Small tip on this one.
Yes, below what Rowland suggest works fine, I use(d) it also.
Only you might have/see delays in updateing the slave zones.
I didn?t like that, so I changed it to forward zoned.
//// Rotterdam SLAVE
zone " ad.lasthome.solace.krynn " IN {
type forward;
forward first;
forwarders { IP_DC ; IP_OTHER_DC; };
};
zone "0.131.10.in-addr.arpa" {
type forward;
forward first;
forwarders { IP_DC ; IP_OTHER_DC; };
};
Done, no delays on resolvings due not synced slaves.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba Namens Rowland Penny via samba
> Verzonden: woensdag 4 mei 2022 11:17
> Aan: samba at lists.samba.org
> CC: Rowland Penny <rpenny at samba.org>
> Onderwerp: Re: [Samba] declaring Bind9 DNS servers as slaves when using
> Samba AD/DC with BIND9_DLZ
>
> On Mon, 2022-04-25 at 19:28 -0400, Vincent S. Cojot via samba wrote:
> > Hi all,
> >
> > I have a small isolated 'island' made of two Samba AD/DC VMs.
It
> > works
> > fine but is not really fault-tolerant (if one hypervisor crashes,
> > every
> > Windows client will time out for 50% of DNS requests.
> >
> > I was trying to setup my bind infra as DNS 'slaves' of the
AD/DC
> > zones but
> > I'm struggling to make it work. I suspect this might be related to
> > having
> > to list my bind DNS servers as authoritative 'NS' servers for
my AD
> > DC
> > zones.. Here's what I have:
> >
> > On a RHEL8 bind DNS server, I have declarations such as:
> > zone "_msdcs.ad.lasthome.solace.krynn" IN {
> > type slave;
> > masters { 10.0.131.248; 10.0.131.249; };
> > notify yes;
> > file "zonedb/named.KRYNN_AD._msdcs";
> > allow-transfer { any; };
> > allow-query { any; };
> > };
> > (and the same kind of declaration for _sites, _tcp, _udp...)
> >
> > On my samba, AD/DC servers, I made sure to have:
> > allow-transfer { any; };
> >
> > Alas, on the BIND9 dns servers, I see this:
> > 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
> > '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53:
Transfer
> > status: REFUSED
> > 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
> > '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53:
Transfer
> > completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
> >
> > This can be matched to these logs on the Samba AD/DC servers:
> > 25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0
> > 10.0.128.242#12714: received notify for zone
> > '_msdcs.ad.lasthome.solace.krynn': not authoritative
> >
> > so communication works but dc01 refuses the zone transfer because it
> > is
> > coming from a server which is not authoritative:
> >
> > Sure enough, when querying the SOA for any of these sub-domains, only
> > my
> > AD/DC servers are listed:
> >
> > # dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn
> > [...]
> > ;; AUTHORITY SECTION:
> > _msdcs.ad.lasthome.solace.krynn. 900 IN
> > NS dc01.ad.lasthome.solace.krynn.
> > _msdcs.ad.lasthome.solace.krynn. 900 IN
> > NS dc00.ad.lasthome.solace.krynn.
> >
> > So I have a few questions:
> >
> > - How do I add my bind servers as 'proper' authoritative NS
servers
> > for
> > the DNS zones hosted on my AD/DC bind servers. What is the proper way
> > to
> > do this? I tried using RSAT/DNS manager and enabling 'Bind
> > secondaries'
> > but this did not work with Samba AD/DC.
> >
> > - Is it a Bad idea to do this (add bind servers as authoritative DNS
> > servers to my AD zones)? Might it break something in the future?
> >
> > All comments/ideas needed.
> >
> > Thank you,
> >
> > Vincent
>
> Sorry to be late in replying, but you need 4 things:
>
> To be running Samba >= 4.15.0
>
> On the DC with the PDC_Emulator FSMO role, you have 'dns zone transfer
> clients allow = IP_OF_THE_SLAVE_DNS_SERVER' in the smb.conf
>
> The DC is running a Bind9 dns server with 'allow-transfer {
> IP_OF_THE_SLAVE_DNS_SERVER; };' in /etc/bind/named.conf.options
>
> Your zones in /etc/bind/named.conf.local , similar to these
>
> zone "ad.lasthome.solace.krynn" IN {
> type slave;
> file "/var/cache/bind/named.KRYNN_AD";
> masters { 10.0.131.248; };
> };
>
> zone "_msdcs.ad.lasthome.solace.krynn" IN {
> type slave;
> file "/var/cache/bind/named.KRYNN_AD._msdcs";
> masters { 10.0.131.248; };
> };
>
> zone "0.131.10.in-addr.arpa" IN {
> type slave;
> file "/var/cache/bind/reverse.KRYNN_AD";
> masters { 10.0.131.248; };
> };
>
> Where '10.0.131.248' is the IP of the DC with the PDC_Emulator FSMO
> role. It may work with multiple DC's but I haven't tested it.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba