Is it possible for ns8-dnsmasq to perform dynamic DNS updates to a NethServer 8’s Samba DNS?
So far I’ve used ns8-dnsmasq advanced configuration (DNSMasq — NS8 documentation) to set the DNS server given to point to Samba DNS, and set the domain name correctly.
I’d like DNSMasq to update DNS records in Samba DNS so that clients are represented in the AD environment. Is there an established/best practice way to accomplish this using NethServer 8?
If not, my plan was to create a script to run on lease events and for that to use nsupdate. Does that seem sensible and achievable?
Thanks for the welcome. Used to use NethServer a lot back before the whole Centos debacle. So read plenty of your posts in my time. This is me getting in on the action
Yes, dynamic update are supported by Samba DNS, and by default is switched on. I got at that detail in a different way:
I think both Windows and Linux clients will add themselves into DNS if they are joined to the domain. From what I think I am seeing
Rocky Linux bound to the domain using Samba/Winbind will add itself to DNS.
Windows 11 that has not joined the domain will not.
Both are using the same ns8-dnsmasq DHCP server.
Obviously that only works if ns8-dnsmasq DHCP is setup correctly. So far I’ve created a 02samba-ad.conf in /var/lib/nethserver/dnsmasq1/state/dnsmasq.d/. In it I set:
dhcp-option=6,<First Samba DNS IP>,<Second Samba DNS IP>
dhcp-option=15,<domain name>
This specifies the DNS servers and there parent domain.
My next step was going to look at creating a dhcp-dnsupdate.sh and adding dhcp-script=/<some path>/dhcp-dnsupdate.sh to the end of 02samba-ad.conf. For it to work nsupdate would need to be installed, and I’d need to generate a keyfile containing a shared secret. This was the bit I wasn’t sure was “sensible or achievable” in the context of the ns8-dnsmasq module. The outcome being DNS records for all DNSMasq DHCP clients no matter if they are joined to the domain or not.
The general idea is nice but I’m afraid there are security implications to consider before going to production level, e.g. what if a malicious device steals the name of a file server?
I was thinking about that too. This is obviously not a feature for some form of guest or open network.
With that in mind, devices that have access to our DHCP server are either trusted or “owned” by an attacker. i.e. We should have security measures that prevent malicious devices accessing our network. That’s not an excuse for complacency, but in the same scenario a device can manually set its IP address to match that of the file server causing issue. Other exploits are available
As a defence:
Well know/relied upon resources should have manually creating “static records”. i.e. not created by this mechanism. These records should be owned by an administrator account. If a dynamic update did try to update a static record, the system should reject the update as it has not come from the owner.
Introduce an allow/deny list to the proposed script. It’s a common way of avoiding this sort of scenario, but I think we can do better.
Use DNS zone file segregation to create static and dynamic zone files. Should work for BIND, not sure for Samba. From what I’ve read this sounds complicated and could be an administrative burden. I’m not a fan of this either.
Mark all records we create with a corresponding TXT record. Use dig to check if an A record already exists and if we created it. Then act accordingly.
