bind_dlz and views and samba

Petr Špaček pspacek at isc.org
Thu May 16 07:52:01 UTC 2024 

On 15. 05. 24 17:21, Peter Carlson wrote:
> As I understand it bind_dlz does not support multiple views, I have to 
> following scenario and am trying to figure out how to configure it:
> 
>   * Internal (192.168.10.0/24)
>       o resolve internal domain xyz.com
>       o resolve internal samba domain xyz.lab
>       o resolve single address xyz.3cx.us to 192.168.10.25
>   * External is resolved by a different server and xyz.3cx.us resolves
>     to a public address
>   * VPN (10.9.0.0/24)
>       o resolve internal domain xyz.com
>       o resolve internal samba domain xyz.lab
>       o resolve single address xyz.3cx.us via normal public dns or
>         alternatively resolve to external address
> 
> I initially set this up with views:
> 
>>     acl internals { 192.168.10.0/24; 192.168.11.0/24; localhost; };
>>     acl vpn   { 10.9.0.0/24; };
>>
>>     view trusted {
>>         match-clients { internals; };
>>         zone "MYDOMAIN.com" IN { type master; file 
>> "/etc/bind/db.MYDOMAIN.com"; allow-update { none; }; };
>>         zone "3cx.us" IN { type master; file "/etc/bind/db.3cx.us"; 
>> allow-update { none; }; };
>>     };
>>
>>     view vpn {
>>         match-clients { vpn; };
>>         zone "MYDOMAIN.com" IN { type master; file 
>> "/etc/bind/db.MYDOMAIN.com"; allow-update { none; }; };
>>     };
> 
> But this crashes as soon as I add:
> 
>> dlz "AD DNS Zone" {
>>      database "dlopen 
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";
>> };
> 
> So I split out DNS from ADDC, configured bind on DC to forward to 
> another DNS and setup views there, but that doesnt work either as all 
> requests now come from IP of the DC and so the ACLs wont match.
> 
> Any ideas how I can accomplish this?

The DLZ interface does support views and there is no reason why it 
should crash. This might be a bug in Samba DLZ module so I suggest to:

1. Write complete bug reports including all and exact version numbers
2. Add complete minimal configuration which demonstrates the issue
3. Take it to relevant Samba DLZ mailing list

If there are bugs in BIND we will have a look.

Good luck!

-- 
Petr Špaček
Internet Systems Consortium

More information about the bind-users mailing list