Web lists-archives.com

Re: [Samba] DHCP and DNS




Hi David,

I know this is samba list and I am hoping that someone with MS AD
experience can answer this definitively.

Does AD have some kind of data exchange between dhcp and dns so that
systems which receive a dhcp lease from an AD DC more reliably register
their hostname with AD DNS?  Looking at the RFC I couldn't see any reason
why this should be the case. But it seems that host name registration for
all DHCP devices is much more consistent when using AD for the dhcp
service. Previously we were using our cisco router. It was rather hit and
miss with DNS registrations that way. We switch to using AD DHCP about 3
months ago and the numbers of host names registered to AD DNS seems to have
really improved.

Sorry this isn't strickly a SAMBA question, but I thought of AD had some
kind of API or data exchange between DHCP and DNS, then samba might also
have it.

There is some kind of integration between MS DHCP and MS AD for sure: when doing migration from samba3 to samba4, if one has a MS DHCP service, then you need to "register" the DHCP service from the MS DHCP console after migration, otherwise it stops delivering leases. I usually switch to ISC DHCP at one point or the other, so I didn't dig into the rationale behind that.

However for registration, my understanding is that is any case registration goes through authenticated DNS queries from workstation/server domain members. It is the only way to ensure that a workstation or server can only register its own name as DNS entry.

Otherwise, with the automatic registration from DHCP service to DNS, then you technically allow any desktop/phone/IOT to register WPAD and ISATAP DNS entry and MITM all the traffic that has autodiscovery enabled, or change the ip address of your file server or anything else... Actually the two WPAD/ISATAP entries are blocked by default on a MS DNS server since MSAD2k3, but I think you see my point. Securing your DNS is paramount for overall network security.

When you where using your cisco routers as DHCP server, did you provide the ip address of domain controllers as DNS server, or did you have the cisco doing DNS forwarding?

Cheers,

Denis


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba