Web lists-archives.com

Re: [Samba] samba_dns_question




On Tue, 22 Jan 2019 17:18:16 +0100
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> > Rowland Penny via samba
> > Verzonden: dinsdag 22 januari 2019 16:35
> > Aan: L. van Belle via samba
> > Onderwerp: Re: [Samba] samba_dns_question
> > 
> > On Tue, 22 Jan 2019 16:16:15 +0100
> > "L. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> > > Hai Rowland, 
> > > 
> > > I think you are mixing a few settings. 
> > > 
> > > 
> > http://www.zytrax.com/books/dns/ch7/queries.html#additional-from-auth
> > >  additional-from-auth yes | no ;
> > >  additional-from-cache yes | no ; 
> > > 
> > 
> > I have never set those options
> Correct but they default to yes. 

So, there is no need to discuss them ;-)

> > > 
> > > www.zytrax.com/books/dns/ch7/queries.html#auth-nxdomain
> > > auth-nxdomain yes | no;
> > > 
> > > If auth-nxdomain is 'yes' allows the server to answer
> > > authoritatively (the AA bit is set) when returning NXDOMAIN
> > > (domain does not exist) answers, if 'no' (the default) the server
> > > will not answer authoritatively. 
> > > 
> > > And
> > 
> > I don't set that and so it defaults to 'no' and does it matter
> > whether the AD is Authoritative for a non existing domain or not ?
> 
> For a non existing domain not, its never authoritive. 
> But the AD-DC DNS is the dns root for the zone.

Yes, but 'auth-nxdomain' has nothing to do with a server being
authoritative for a domain, it is the SOA records that set this.

> 
> > 
> > 
> > > 
> > > http://www.zytrax.com/books/dns/ch7/queries.html#empty-zones-enable
> > > empty-zones-enable yes | no ;
> > > 
> > > By default empty-zones-enable is set to yes which means that
> > > reverse queries for IPv4 and IPv6 addresses 
> > > covered by RFCs 1918, 4193, 5737 and 6598 (as well as IPv6 local
> > > address (locally assigned), 
> > > IPv6 link local addresses, the IPv6 loopback address and the IPv6
> > > unknown address) 
> > > but which is not not covered by a locally defined zone clause will
> > > automatically return an NXDOMAIN response from the local 
> > name server. 
> > > This prevents reverse map queries to such addresses escaping to
> > > the DNS hierarchy where 
> > > they are simply noise and increase the already high level of query
> > > pollution caused by mis-configuration.
> > > 
> > 
> > OK, I will give you that one, it probably would be better if 
> > it was set to yes, which really means not having the line.
> > 
> 
> No, argg.. How can i explain this.. 
> Hmm very short version, it might block queries to 10.0.0.0/8
> 172.16.0.0/12  192.168.0.0/16 
> 

If they are not AD reverse zones then the AD DNS server shouldn't
really know anything about them, any queries for them should be
forwarded to another dns server that does know about them.

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba