DNS and Resolver

Overview

A working DNS infrastructure is critical for an Active Directory 1) implementation powered by Samba 4. It's also strongly recommended for any other type of deployment.

This document describes how DNS and the DNS Servers (/etc/resolv.conf resolver) are implemented in ClearOS. For those of you coming from CentOS or Red Hat Enterprise Linux 2), this is one of those rare instances where ClearOS does things a little differently.

Doing It Right

ClearOS is typically deployed as a gateway or standalone server that is providing DNS services to the local network:

  • A caching/forwarding DNS server for the local network
  • A simple DNS Server for mapping local IPs to internal hostnames

With the addition of an Active Directory implementation powered by Samba 4, providing these DNS services becomes a mission critical part of the network infrastructure. When DNS is not operating correctly, Active Directory implementations fail. This is one of the reasons Samba 4 includes its own DNS server - it's not a matter of a bunch of software developers wanting to re-invent wheels. There are unique aspects to DNS in Active Directory environments:

  • Dymamic DNS updates via Kerberos
  • Default DNS records for systems in the Windows domain

For these reasons, it is critical that the ClearOS system itself resolve DNS properly.

DNS Settings - /etc/resolv.conf

Now that we have covered the importance of DNS services on a modern ClearOS network, we can come to two conclusions:

  • /etc/resolv.conf must reference the local DNS services
  • DHCP and PPPoE should never overwrite /etc/resolv.conf

These two constraints are handled a bit differently depending on whether or not the Samba Directory is deployed. These two options are described next.

Samba Directory - Samba 4 DNS

In the case where Samba Directory is running, the built-in Samba 4 DNS server is activated. The /etc/resolv.conf file will always look like this:

domain directory.example.com
nameserver 192.168.1.1

The domain is set to the configured Samba Directory Realm and the nameserver is set to a trusted IP where the Samba DNS server is running. Any DNS request that does not fall under the realm of the Samba DNS server is forwarded to a caching/forwarding DNS server defined by the dns forwarder parameter in /etc/samba/smb.conf.

Standard DNS

In systems that do not use Samba Directory, the /etc/resolv.conf file will look like:

domain example.com    # optional
nameserver 127.0.0.1

The caching DNS server (dnsmasq) handles requests and also serves up local hostnames for hosts defined in /etc/hosts. Any DNS request that does not fall under the realm of the cachning DNS server is forwarded to a DNS server defined in /etc/resolv-peerdns.conf.

Auto DNS Servers / PeerDNS - /etc/resolv-peerdns.conf

For those of you used to hooking up your system with DHCP or PPPoE, the /etc/resolv.conf file is typically automatically updated by your ISP. Some of you may be used to referring to this as PeerDNS. As described above, this type of behavior can break your network in a hurry! For this reason, ClearOS has changed the behavior for DHCP and PPPoE networks – these types of connections will now write to the /etc/resolv-peerdns.conf file.

If you disable the automatic DNS server behavior for your DHCP or PPPoE connections, you can still specify your own upstream DNS servers (for example, OpenDNS or Google Public DNS). These settings are saved in resolv-peerdns.conf.

It is not often that we make changes to the source code from upstream (link), but this is one of those rare exceptions. The ClearOS system uses its internal event system to trigger the necessary changes, so there's nothing that needs to be done from an end-user's perspective. It just works.

Links

1) Trademark is the property of the respective owner. ClearCenter is not affiliated with Microsoft.
2) Trademark is the property of the respective owner. ClearCenter is not affiliated with Red Hat.

 
TryBuy