How-to: Configure Subnet-Based DNS Replies (Split-Horizon) with Samba

How-To: Configure Subnet-Based DNS Replies (Split-Horizon) with Samba DNS Backend in UCS

Description:

This article describes how to configure subnet-based DNS replies (Split-Horizon DNS) in a UCS environment using the Samba 4 DNS backend.


Why use VLAN-based Split-Horizon DNS?
In environments where network segmentation via VLANs is used, different user groups (e.g., teachers, students, guests, or administration) often require different DNS resolutions. A VLAN-based Split-Horizon DNS configuration enables:

  • Segregation of DNS views per VLAN, ensuring that only relevant hosts are visible to specific networks.
  • Enhanced security, by preventing internal hostnames from being exposed to unauthorized clients.
  • Optimized network routing, allowing VLANs to resolve services to the nearest or appropriate server (e.g., caching servers, mirrors).
  • Controlled access for guest networks, where only external DNS records should be visible.

This setup is particularly useful in educational institutions, enterprises, or multi-tenant environments where each VLAN may have distinct access requirements.


Environment:

  • UCS 5.x installed and running
  • Samba 4 as DNS backend
  • Root or administrative access to the UCS server

Steps:

1. Verify the Active DNS Backend

Before making any changes, confirm that the Samba 4 DNS backend is in use:

ucr get dns/backend

The expected output should be:

samba4

2. Locate the Template File

The Samba DNS configuration in UCS is managed via a template. Locate the following file:

/etc/univention/templates/files/etc/bind/named.conf.samba4

3. Modify the Template

Open the template with an editor of your choice (e.g., nano or vi).
Compare the original template and its entries with the output, paying particular attention to the views.
When defining a view, all configuration sections must be contained within a view.

@!@};

logging {
	category default{ default_syslog; };
	channel default_syslog {
		syslog daemon;		# send to syslog's daemon facility
		severity dynamic;	# log at the server's current debug level
	};
};


include "/etc/bind/local-predlz.conf.samba4";

@!@
# flake8: noqa
print('''acl "vlan2025" { 172.26.4.0/22; };

view "vlan2025" {
        match-clients { vlan2025; };

        zone "uni.vlan2025" {
                type master;
                file "/etc/bind/univention.conf.d/univention.vlan2025";
        }; ''')

@!@
if configRegistry.get('dns/forwarder1') or configRegistry.get('dns/forwarder2') or configRegistry.get('dns/forwarder3'):
    print('\n# Found a forwarder in ucr variables, using forwarder in zone ".".')
    print('# Ignoring any setting of dns/fakeroot.')
    print('zone "." {')
    print('\ttype forward;')
    print('\tforwarders {')
    if configRegistry['dns/forwarder1']:
        print('\t\t%s;' % configRegistry['dns/forwarder1'])
    if configRegistry['dns/forwarder2']:
        print('\t\t%s;' % configRegistry['dns/forwarder2'])
    if configRegistry['dns/forwarder3']:
        print('\t\t%s;' % configRegistry['dns/forwarder3'])
    print('\t};')
    print('};')
elif configRegistry.is_true('dns/fakeroot', True):
    print('\n# Found no forwarder in ucr variables.')
    print('# dns/fakeroot is either missing or set to True.')
    print('zone "." {')
    print('\ttype master;')
    print('\tfile "/etc/bind/db.root.fake";')
    print('};')
else:
    print('\n# Found no forwarder in ucr variables.')
    print('# dns/fakeroot is set to False.')
    print('# So setting a root zone "." of type "hint" with default root servers.')
    print('zone "." {')
    print('\ttype hint;')
    print('\tfile "/etc/bind/db.root";')
    print('};')
@!@

print('''
        response-policy {
                zone "uni.vlan2025";
        };

        dlz "samba4.zone" {
                database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so -d 0 {
                                /*
                                 * update-policy {
	                         *              grant %(kerberos/realm)s ms-self * A AAAA;
        	                 *              grant Administrator@%(kerberos/realm)s wildcard * A AAAA SRV CNAME;
                	         *              grant %(hostname)s$@%(domainname)s wildcard * A AAAA SRV CNAME;
                                 *      };
                                 */
        
                                /*
                                 * the list of principals and what they can change is created
                                 * dynamically by Samba, based on the membership of the domain controllers
                                 * group. The provision just creates this file as an empty file.
                                 */
                                include /var/lib/samba/bind-dns/named.conf.update;

                                /* we need to use check-names ignore so _msdcs A records can be created */
                                check-names ignore;
                        };
                ";
        };
};''' % configRegistry)

print('''view "default" {
        match-clients { any; };
''')

4. Commit the Changes

Regenerate the Samba DNS configuration using the following command:

ucr commit /etc/bind/named.conf.samba4

5. Restart the Samba Service

To apply the new configuration, restart the Samba service:

  1. /etc/init.d/samba restart
  2. systemctl restart bind9.service

Verification

  • Ensure the new zone file (e.g., /etc/bind/univention.conf.d/univention.vlan2025) exists and contains the desired DNS records.
  • Test the DNS response from a client within the configured subnet to verify the correct zone is being served.

Notes

  • Multiple VLANs can be configured by adding additional acl and view sections following the same procedure.
  • This change affects Samba’s integrated Bind configuration and will persist across reboots if properly managed through the template system.

Troubleshooting (optional)

If the configuration does not work as expected:

  1. Check Samba and Bind logs:
  • journalctl -u samba
  • less /var/log/syslog
  • less /var/log/samba/log.samba
  1. Check services:
  • /etc/init.d/samba status
  • systemctl status bind9.service
  1. Validate the configuration syntax:

    named-checkconf /etc/bind/named.conf.samba4

  2. Ensure all sections are within a view:
    When using views, all configuration blocks (zones, ACLs, options) must be placed inside at least one view.

  3. Verify ACL correctness:
    Make sure the subnet (e.g., 172.26.4.0/22) matches the client network.


See also: