Samba Internal DNS Back End

From SambaWiki

Introduction

The internal DNS server is built into Samba and uses AD as the backend, it is the default DNS solution when provisioning a new Samba AD DC or upgrading from a Samba NT4 domain to Samba AD. Because the information the DNS server uses is stored in AD, you do not need to create any extra databases.

An alternative backend is BIND_DLZ.



Configuration

If you have chosen the internal DNS as backend for your environment, there are only two options that can be added to your smb.conf, to control the behaviour of DNS at this point:

# Don't allow any updates | allow unsigned updates | only allow signed updates
allow dns updates = False | nonsecure | signed

# If you require recursive queries i.e. queries outside the AD domain, the following is also needed.
# Samba 4.5 and later supports a space-sparated list of IPs. Older versions support only one IP.
dns forwarder = <ip addr of external dns server>



Limitations / Known issues

  • The internal server is not a caching resolver.
  • The internal server by default only comes with a working forward zone; if you need a reverse zone, see instructions here.
  • The samba_dnsupdate command produces warnings when used with signed updates. We're currently investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
  • Currently, recursive queries are not possible without using a forwarder.
  • Negative replies do not come with an authority record (not required by RFC, but Windows seems to like that).
  • Shared-key TSIG is not implemented.
  • Stub zones are not implemented.
  • Zone axfr is not allowed from internal samba DNS.



Tests

Run during make test

TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns

Run against external servers (Windows or BIND)

SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns



Troubleshooting

TBD.