Integrating Samba’s DNS server with existing dnsmasq installations

As an Active Directory encompasses not only LDAP and Kerberos but also DNS and there are funny things Microsoft does with DNS (dynamic updates, special SRV records to locate hosts etc.), running Samba as an Active Directory domain controller means running either the built-in DNS server or bind9 with a special DLZ plugin.

dnsmasq integration has been discussed but seems to have been abandoned not so much for technical reasons than rather for lack of real interest on both sides. There is at least this HOWTO that works around the technical issues by teaching dnsmasq the necessary SRV records manually, but even then you won’t have dynamic DNS updates the way Samba needs them and it is more of a hack definitely unsupported by the Samba team than a viable solution.

Running dnsmasq is feasible not so much as an alternative running on the Samba host itself, but, at least in my idea of SOHO networking, it’s pre-destined for embedded devices such as access points and routers and accordingly the default DNS forwarder in OpenWrt. Having DNS resolution depend on a “higher-level” DNS service provided by Samba would contradict that concept. Apart from the fact that Samba’s DNS server would require support for every single feature existing DNS servers (such as dnsmasq) already have — or bind be used, a software I do not really miss particularly much (think zone files).

Obviously I can’t achieve the desired isolation of a basic network service such as DNS and a productive service such as Samba with a single DNS zone, as there is no such thing as zone sharing. So I’ll need two DNS zones: mysite.foo.bar and either ad.mysite.foo.bar or mysite.ad.foo.bar. The latter choice would be preferable if we were to seriously use Active Directory features such as forests and sites but also mean that there would be a “parallel forest” of “conventional” DNS zones and the need to have a foo.bar DNS server that supports delegations. As Samba 4 currently supports running a single Active Directory domain controller only anyway, I’ll go with the former:

DNS zone Managed by Running on
mysite.foo.bar dnsmasq OpenWrt-based access point/router
ad.mysite.foo.bar Samba “Real” server

Now I do, of course, have only one DHCP service at my “site”. Technically it could supply multiple DNS servers but you wouldn’t want that since you can’t control your clients’ resolvers’ behavior via DHCP (ie. when which DNS server is tried). And there’s no need to, because here comes the elegant part: all clients continue to receive the IP address of an OpenWrt device as DNS server which is authoritative for mysite.foo.bar. Requests for *.ad.foo.bar simply get delegated to the Samba host with a dnsmasq configuration such as the following:


# Local dnsmasq instance is responsible for
# mysite.foo.bar
domain=mysite.foo.bar
server=/mysite.foo.bar/

# DNS delegation for ad.mysite.foo.bar
server=/ad.mysite.foo.bar/192.168.0.1

# If rebind protection is on, this is
# required to avoid warnings on DNS
# rebinding attacks
rebind-domain-ok=ad.mysite.foo.bar

# Upstream DNS server, handles everything
# outside ad.mysite.foo.bar and mysite.foo.bar
server=192.168.0.254

Note that having two DNS zones does not imply that you need to have two IP subnets. It’s perfectly fine to have both baz.mysite.foo.bar and baz.ad.mysite.foo.bar point at 192.168.0.1 and have reverse lookup of the IP address resolve to baz.mysite.foo.bar, as long as you configure Kerberos client configuration accordingly (the rdns = false option described at the end of my sssd-ad configuration post).

This way, if the Samba server goes down, only the ad.mysite.foo.bar zone will be affected, not mysite.foo.bar as a whole. Neat :)

Leave a comment