DHCP and DNS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DHCP and DNS

Samba - General mailing list
I know this is samba list and I am hoping that someone with MS AD
experience can answer this definitively.

Does AD have some kind of data exchange between dhcp and dns so that
systems which receive a dhcp lease from an AD DC more reliably register
their hostname with AD DNS?  Looking at the RFC I couldn't see any reason
why this should be the case. But it seems that host name registration for
all DHCP devices is much more consistent when using AD for the dhcp
service. Previously we were using our cisco router. It was rather hit and
miss with DNS registrations that way. We switch to using AD DHCP about 3
months ago and the numbers of host names registered to AD DNS seems to have
really improved.

Sorry this isn't strickly a SAMBA question, but I thought of AD had some
kind of API or data exchange between DHCP and DNS, then samba might also
have it.

--
David Bear
mobile: (602) 903-6476
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP and DNS

Samba - General mailing list
On Tue, 2 Jan 2018 12:41:05 -0700
David Bear via samba <[hidden email]> wrote:

> I know this is samba list and I am hoping that someone with MS AD
> experience can answer this definitively.
>
> Does AD have some kind of data exchange between dhcp and dns so that
> systems which receive a dhcp lease from an AD DC more reliably
> register their hostname with AD DNS?  Looking at the RFC I couldn't
> see any reason why this should be the case. But it seems that host
> name registration for all DHCP devices is much more consistent when
> using AD for the dhcp service. Previously we were using our cisco
> router. It was rather hit and miss with DNS registrations that way.
> We switch to using AD DHCP about 3 months ago and the numbers of host
> names registered to AD DNS seems to have really improved.
>
> Sorry this isn't strickly a SAMBA question, but I thought of AD had
> some kind of API or data exchange between DHCP and DNS, then samba
> might also have it.
>

Do you mean something like this:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP and DNS

Samba - General mailing list
Thats the samba answer -- and I guess this implies that windows AD also has
the same capability. Thanks.

On Tue, Jan 2, 2018 at 12:51 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Tue, 2 Jan 2018 12:41:05 -0700
> David Bear via samba <[hidden email]> wrote:
>
> > I know this is samba list and I am hoping that someone with MS AD
> > experience can answer this definitively.
> >
> > Does AD have some kind of data exchange between dhcp and dns so that
> > systems which receive a dhcp lease from an AD DC more reliably
> > register their hostname with AD DNS?  Looking at the RFC I couldn't
> > see any reason why this should be the case. But it seems that host
> > name registration for all DHCP devices is much more consistent when
> > using AD for the dhcp service. Previously we were using our cisco
> > router. It was rather hit and miss with DNS registrations that way.
> > We switch to using AD DHCP about 3 months ago and the numbers of host
> > names registered to AD DNS seems to have really improved.
> >
> > Sorry this isn't strickly a SAMBA question, but I thought of AD had
> > some kind of API or data exchange between DHCP and DNS, then samba
> > might also have it.
> >
>
> Do you mean something like this:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> DNS_records_with_BIND9
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
David Bear
mobile: (602) 903-6476
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP and DNS

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi David,

> I know this is samba list and I am hoping that someone with MS AD
> experience can answer this definitively.
>
> Does AD have some kind of data exchange between dhcp and dns so that
> systems which receive a dhcp lease from an AD DC more reliably register
> their hostname with AD DNS?  Looking at the RFC I couldn't see any reason
> why this should be the case. But it seems that host name registration for
> all DHCP devices is much more consistent when using AD for the dhcp
> service. Previously we were using our cisco router. It was rather hit and
> miss with DNS registrations that way. We switch to using AD DHCP about 3
> months ago and the numbers of host names registered to AD DNS seems to have
> really improved.
>
> Sorry this isn't strickly a SAMBA question, but I thought of AD had some
> kind of API or data exchange between DHCP and DNS, then samba might also
> have it.

There is some kind of integration between MS DHCP and MS AD for sure:
when doing migration from samba3 to samba4, if one has a MS DHCP
service, then you need to "register" the DHCP service from the MS DHCP
console after migration, otherwise it stops delivering leases. I usually
switch to ISC DHCP at one point or the other, so I didn't dig into the
rationale behind that.

However for registration, my understanding is that is any case
registration goes through authenticated DNS queries from
workstation/server domain members. It is the only way to ensure that a
workstation or server can only register its own name as DNS entry.

Otherwise, with the automatic registration from DHCP service to DNS,
then you technically allow any desktop/phone/IOT to register WPAD and
ISATAP DNS entry and MITM all the traffic that has autodiscovery
enabled, or change the ip address of your file server or anything
else... Actually the two WPAD/ISATAP entries are blocked by default on a
MS DNS server since MSAD2k3, but I think you see my point. Securing your
DNS is paramount for overall network security.

When you where using your cisco routers as DHCP server, did you provide
the ip address of domain controllers as DNS server, or did you have the
cisco doing DNS forwarding?

Cheers,

Denis


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba