Quantcast

BIND DNS Reverse Update

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BIND DNS Reverse Update

Samba - General mailing list
Hello,

on my Samba AD with BIND DLZ backend it looks like Reverse Updates did
not work.

dig winclient.example.com resolve an IP
dig -x IP does not resolve the hostname

In the bind log I see
client 192.168.30.148#57598: update 'example.com/IN' denied

my named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
// samba AD
include "/var/lib/samba/private/named.conf";
// logging
include "/etc/bind/named.conf.log";

/var/lib/samba/private/named.conf look like

dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};

I have also an /var/lib/samba/private/named.conf.update with an update
policy for my zone that I have also try to include in my zonefile but
that seem not work with dlz.

How can I include an update policy to my zone?

Best Regards
Basti

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
On Wed, 12 Apr 2017 12:34:32 +0200
basti via samba <[hidden email]> wrote:

> Hello,
>
> on my Samba AD with BIND DLZ backend it looks like Reverse Updates did
> not work.
>
> dig winclient.example.com resolve an IP
> dig -x IP does not resolve the hostname
>
> In the bind log I see
> client 192.168.30.148#57598: update 'example.com/IN' denied
>

Have you actually created the reverse zone ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
In named.conf.local I have a reverse zone

zone "30.168.192.in-addr.arpa" {
        type master;
        notify yes;
        include "/etc/bind/xfer-policy";
        file "/etc/bind/db.30.168.192";
};


Am 12.04.2017 um 12:50 schrieb Rowland Penny via samba:

> On Wed, 12 Apr 2017 12:34:32 +0200
> basti via samba <[hidden email]> wrote:
>
>> Hello,
>>
>> on my Samba AD with BIND DLZ backend it looks like Reverse Updates did
>> not work.
>>
>> dig winclient.example.com resolve an IP
>> dig -x IP does not resolve the hostname
>>
>> In the bind log I see
>> client 192.168.30.148#57598: update 'example.com/IN' denied
>>
>
> Have you actually created the reverse zone ?
>
> Rowland
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
On Wed, 12 Apr 2017 13:12:42 +0200
basti via samba <[hidden email]> wrote:

> In named.conf.local I have a reverse zone
>
> zone "30.168.192.in-addr.arpa" {
> type master;
> notify yes;
>         include "/etc/bind/xfer-policy";
> file "/etc/bind/db.30.168.192";
> };
>

You should remove this and create the reverse zone in AD with
samba-tool, this is where it belongs.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
OK I have done and ad an reverse zone to my ad.
manual added values are found now.
Automatic updates (by client like ipconfig /renew) are still denied.


Am 12.04.2017 um 13:28 schrieb Rowland Penny via samba:

> On Wed, 12 Apr 2017 13:12:42 +0200
> basti via samba <[hidden email]> wrote:
>
>> In named.conf.local I have a reverse zone
>>
>> zone "30.168.192.in-addr.arpa" {
>> type master;
>> notify yes;
>>         include "/etc/bind/xfer-policy";
>> file "/etc/bind/db.30.168.192";
>> };
>>
>
> You should remove this and create the reverse zone in AD with
> samba-tool, this is where it belongs.
>
> Rowland
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
On Wed, 12 Apr 2017 14:42:24 +0200
basti via samba <[hidden email]> wrote:

> OK I have done and ad an reverse zone to my ad.
> manual added values are found now.
> Automatic updates (by client like ipconfig /renew) are still denied.
>
>

try adding 'allow dns updates = nonsecure' to smb.conf and then restart
Samba.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
there is the same problem.

My setup is as follow:

router (DHCP/Bind as forwarder dc1 and dc2)
/etc/dhcpd.conf

option domain-name-servers 192.168.30.2, 192.168.30.6;

dc1 (192.168.30.2) / dc2 (192.168.30.6) are domain Controller with
bind_dlz DNS, dc2 is update via axfr

dc1 ist dns master and where I see the errors.

client 192.168.30.175#55454: update 'samdom.example.com/IN' denied

and where i have add 'allow dns updates = nonsecure' to smb.conf without
solve the problem.

I think the client is talk to bind directly without using samba.
I have also find and try
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

but when I try to update the dns zone from the router on dc1 i get
NOAUTH error.

Am 12.04.2017 um 15:05 schrieb Rowland Penny via samba:

> On Wed, 12 Apr 2017 14:42:24 +0200
> basti via samba <[hidden email]> wrote:
>
>> OK I have done and ad an reverse zone to my ad.
>> manual added values are found now.
>> Automatic updates (by client like ipconfig /renew) are still denied.
>>
>>
>
> try adding 'allow dns updates = nonsecure' to smb.conf and then restart
> Samba.
>
> Rowland
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
The update with the dhcp script work for now. I'm not sure if it works
since I add "allow dns updates = nonsecure" or if it works after a
service restart.

I will test if it is useable for me.
Thanks rowland for now.


Am 12.04.2017 um 15:26 schrieb basti via samba:

> there is the same problem.
>
> My setup is as follow:
>
> router (DHCP/Bind as forwarder dc1 and dc2)
> /etc/dhcpd.conf
>
> option domain-name-servers 192.168.30.2, 192.168.30.6;
>
> dc1 (192.168.30.2) / dc2 (192.168.30.6) are domain Controller with
> bind_dlz DNS, dc2 is update via axfr
>
> dc1 ist dns master and where I see the errors.
>
> client 192.168.30.175#55454: update 'samdom.example.com/IN' denied
>
> and where i have add 'allow dns updates = nonsecure' to smb.conf without
> solve the problem.
>
> I think the client is talk to bind directly without using samba.
> I have also find and try
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
> but when I try to update the dns zone from the router on dc1 i get
> NOAUTH error.
>
> Am 12.04.2017 um 15:05 schrieb Rowland Penny via samba:
>> On Wed, 12 Apr 2017 14:42:24 +0200
>> basti via samba <[hidden email]> wrote:
>>
>>> OK I have done and ad an reverse zone to my ad.
>>> manual added values are found now.
>>> Automatic updates (by client like ipconfig /renew) are still denied.
>>>
>>>
>>
>> try adding 'allow dns updates = nonsecure' to smb.conf and then restart
>> Samba.
>>
>> Rowland
>>
>>
>>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND DNS Reverse Update

Samba - General mailing list
On Wed, 12 Apr 2017 15:47:26 +0200
basti via samba <[hidden email]> wrote:

> The update with the dhcp script work for now. I'm not sure if it works
> since I add "allow dns updates = nonsecure" or if it works after a
> service restart.
>
> I will test if it is useable for me.
> Thanks rowland for now.
>

if the 'dhcp script' you refer to is the one on the Samba wiki, then
you need to stop your clients from trying to update their own records,
this will never work.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...