4

Is it possible to make samba4's internal dns server listen on a port other than 53?

I need to run two dns server's on this host -- my desire was to use dnsmasq on the standard port for client's and configure dnsmasq to resolve the domain owned by the samba internal dns server correctly via the non-standard port.

Looking through smb.conf -- there are options to control the port binding used by many of the services -- but I'm not finding such an option for the dns server ...

Ben
  • 391
  • 1
  • 3
  • 11
  • why is this question getting downvoted? Its a legitimate question even if the answer is 'no its not possible' – Ben Feb 26 '15 at 22:08

2 Answers2

5

The reason you're not finding the option is that OS resolver libraries cannot use ports other than 53. While it's possible to have a nameserver forwarder use ports other than 53, it is unlikely that the authors of this software support and/or anticipate your particular use case. You would need ask them why this feature is absent.

You could try something like

  • add a secondary IP address to your system.
    • configure DNSmasq to listen on that address only.
  • Configure Samba to listen on the primary IP address
  • Configure samba to forward requests it can't handle to the IP DNSmasq is listening on.

I guess you could do it the other way around too.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
user9517
  • 115,471
  • 20
  • 215
  • 297
  • You could forward the port using `iptables` as well. As Iain implies, the difficult bit isn't so much getting the service to appear on another port as getting any clients to go looking for it there. – MadHatter Feb 12 '15 at 08:28
  • 2
    @MadHatter I did think about that as a solution and decided it got too messy very quickly. – user9517 Feb 12 '15 at 08:44
  • 1
    @lain dnsmasq has the ability to forward queries to a non-standard DNS server port -- so I assume that others have found use cases for this. I have good reasons to Want to do this – Ben Feb 24 '15 at 22:32
  • - stability -- our DNS needs not to go down, samba4 is just super complex and we dont trust it - making it the client facing DNS server is just not viable for us. If the samba DNS server misbehaves we want to isolate that effect to only the ad domain and whatever behaviors that exist within the ad ecosystem which depend on the existence of an active directory-integrated DNS. Clients should point to dnsmasq on a standard port, dnsmasq will handle resolving queries for the ad domain via the samba DNS server – Ben Feb 24 '15 at 22:32
  • - adding another network interface is unnecessarily complicated and actually requires specifying to both services that they only listen on the correct set of interfaces. Since dnsmasq does both dhcp and DNS -- the way it handles listening on network interfaces is a bit complicated as it processes some traffic via layer 2 apis in order to implement correct dhcp behaviours. We want to avoid having to troubleshoot this when bugs or configuration errors inevitably occur. – Ben Feb 24 '15 at 22:34
  • We also don't want to encode these kind of details about our network interface configuration in these service configurations (we've got multiple of these appliances to setup)... – Ben Feb 24 '15 at 22:34
  • @madhatter the intent is to _not_ expose the samba DNS server to clients directly. Clients will use dnsmasq for DNS as before and dnsmasq will resolve queries for the domain that samba is authoritative for via the samba DNS server. – Ben Feb 24 '15 at 22:34
  • If I Could just specify the port for the samba DNS server to bind, all would be well. The weird thing is samba seems to support manually specified ports for all the other servers it implements (cifs, etc) and it's even harder for me to imagine use cases for that kind of configuration ... – Ben Feb 24 '15 at 22:35
  • 3
    You can't do what you want to do with Samba alone. Samba is though open source so I guess you could fix it yourself that way but that brings with it a whole other world of problems. – user9517 Feb 25 '15 at 06:36
  • Thanks for the response -- but I'm down-voting your answer because you say "its not normal to want to do this". This is false, running services on other than the default port is very common and done with many services for a variety of reasons. Maybe you want to have something else listening on the primary port and proxying to the underlying service for security or load-balancing reasons (valid, common use case). Or maybe you just like security by obscurity obtainable by listening on a non-standard port as many folks do with ssh (less valid, but still used). It is not unusual to want this. – Ben Feb 26 '15 at 22:21
  • There was an implied ... `with DNS` in there because well ya know, your question is about DNS. Sure other services may expect to be proxied or load balanced and may therefore provide mechanisms for allowing this. DNS though, isn't generally one of them. I don't know why the samba team decided to fix the server port at 53 and not proviode a mechanism for changing it ( `const int DNS_SERVICE_PORT = 53;`), but they did and that's what you have to work with. There are ways of solving your problem buut you don't appear to be up to them. – user9517 Feb 27 '15 at 08:08
  • @Ben It's kind of splitting hairs. What I think Iain meant to say was resolver libraries expect port 53. Yes, you can configure load balancers, DNS forwarders, etc. to use DNS on non-standard ports...but any program written with the expectation that *only* DNS clients should be directly pointed at the daemon isn't going to bother with this functionality. If the code doesn't allow you to do it, you're stuck. Iain provided some good workarounds and I don't think this answer merits a downvote on this one point alone. I'll edit the answer to clarify the "offensive detail", however. – Andrew B Feb 27 '15 at 16:35
0

The issue was opened and can be viewed here: https://bugzilla.samba.org/show_bug.cgi?id=14599

Pavel_K
  • 85
  • 12