Re: bind_dlz and views and samba

Thu, 16 May 2024 00:52:42 -0700 

On 15. 05. 24 17:21, Peter Carlson wrote:
As I understand it bind_dlz does not support multiple views, I have to following scenario and am trying to figure out how to configure it: 

  * Internal (192.168.10.0/24)
      o resolve internal domain xyz.com
      o resolve internal samba domain xyz.lab
      o resolve single address xyz.3cx.us to 192.168.10.25
  * External is resolved by a different server and xyz.3cx.us resolves
    to a public address
  * VPN (10.9.0.0/24)
      o resolve internal domain xyz.com
      o resolve internal samba domain xyz.lab
      o resolve single address xyz.3cx.us via normal public dns or
        alternatively resolve to external address

I initially set this up with views:


    acl internals { 192.168.10.0/24; 192.168.11.0/24; localhost; };
    acl vpn   { 10.9.0.0/24; };

    view trusted {
        match-clients { internals; };

        zone "MYDOMAIN.com" IN { type master; file 
"/etc/bind/db.MYDOMAIN.com"; allow-update { none; }; };
        zone "3cx.us" IN { type master; file "/etc/bind/db.3cx.us"; 
allow-update { none; }; };

    };

    view vpn {
        match-clients { vpn; };

        zone "MYDOMAIN.com" IN { type master; file 
"/etc/bind/db.MYDOMAIN.com"; allow-update { none; }; };

    };


But this crashes as soon as I add:


dlz "AD DNS Zone" {

     database "dlopen 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";

};



So I split out DNS from ADDC, configured bind on DC to forward to 
another DNS and setup views there, but that doesnt work either as all 
requests now come from IP of the DC and so the ACLs wont match.


Any ideas how I can accomplish this?



The DLZ interface does support views and there is no reason why it 
should crash. This might be a bug in Samba DLZ module so I suggest to:


1. Write complete bug reports including all and exact version numbers
2. Add complete minimal configuration which demonstrates the issue
3. Take it to relevant Samba DLZ mailing list

If there are bugs in BIND we will have a look.

Good luck!

--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to