Re: [Samba] Which DNS to use for DHCP hostname/IP updates from non-AD & AD nodes?
- Date: Thu, 15 Feb 2018 09:34:54 +0000
- From: Kristján Valur Jónsson via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Which DNS to use for DHCP hostname/IP updates from non-AD & AD nodes?
I have a setup with dhcp registering addresses with BIND9 (which again
uses BIND9_DLZ), as is described in the samba wiki.
Never does the wiki suggest that this may be a security problem.
anyway, it's very convenient to have non-AD entities just show up in DNS.
Ideally, such non-authenticated thingies should be in a subdomain, but as
it is, all is lumped into one domain :)
That samba AD wiki really could use some "best practies" page.
On 14 February 2018 at 12:54, Ken McDonald via samba <samba@xxxxxxxxxxxxxxx>
> I suspected something odd and possibly too invasive was being done by the
> BIND9_DLZ module, especially because of the need to relax AppArmor on
> Ubuntu. Resolving that security problem really should be a development
> priority, but I also realize it's a resource and time issue. I suppose
> because it is not a direct security vulnerability and would require Bind9
> to be compromised there is faith it won't happen in most cases.
> Regarding the DHCP/DNS and rogue clients, I suppose I hadn't factored that
> it even though I've been using a similar configuration for years. I was
> using it so there was automatic availability on the network of simple
> devices by hostname, like Cisco switches and random VM's spun up for
> testing. As bad as the implementation is, the MS world has that nice
> NETBIOS broadcast thingy that I believe generally let's you find
> non-AD-joined Windows clients on the same subnet. I was looking for the
> same functionality from non-Windows network nodes.
> Guess I'll look into either another layer of security that accomplishes
> the goal without allowing rogue malicious DHCP/DNS attacks, or just
> register the host names manually. There may be an existing feature or
> script available on a Linux node to securely update DNS after DHCP. Maybe
> the same is possible for Cisco, etc.
> Thanks for you insight.
Kristján Valur Jónsson, RVX
To unsubscribe from this list go to the following URL and read the