providing CNAMEs for local data
Michael Tokarev
mjt at tls.msk.ru
Tue Nov 22 13:43:32 UTC 2022
22.11.2022 15:57, Petr Špaček via Unbound-users wrote:
> On 22. 11. 22 13:27, Michael Tokarev via Unbound-users wrote:
>> For example, we've a domain and a few geographically-spread
>> offices, each office is supposed to have its own proxy, email
>> server, file server and stuff like that. This is also an
>> AD DC domain. I thought about a single domain zone and local
>> overrides for certain commonly used names. But once again
>> faced this issue with unbound who is unable to resolve
>> (expand) CNAMEs in local-data or somesuch.
>>
>> (Yes, I know there's another way, to give each office a
>> subdomain with the local names specified there, and specify
>> all other names in the main domain. But that doesn't work
>> because windows machines always query in its AD Domain
>> name first, and in DHCP-provided suffix next, - so I have
>> to override this at the resolver level).
>
> Well, MS AD does support location-aware routing. I suggest using that instead of hacking in your own way.
I know how to locate the AD DC closes to the client (site-specific),
that portion works.
Now I want to a) provide a short name (fs) which is used by all our
users to mean their closest local file server, - I can't find a way
to do that in AD. And b) to store user profiles only on the site-
specific server, so home server is different depending on the current
location a user logs in. If a) is solved, b) is solved too. For 2
weeks I tried to implement this in samba, - to discover a ton of
bugs and unexpected behavior. Now I did implement this in DNS, in
a test environment *finally*, - but it turned out I'll have to
replace whole our unbound infrastructure with something else b/c
this very unbound limitation - it can't expand CNAMEs in local-data
and local-zone.
> See e.g.
> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/site-functions and search for "Client affinity".
>
> MS keywords for this are "sites" and "locator".
>
> Non-MS docs about this:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-ad-dns-sites
Yes, this is about locating the closest DC.
I want it to locate a closest file server given short name.
I'd *love* to do that on the AD side, but so far it didn't work.
And still, there question which I asked: *why* unbound can't
expand CNAMEs in local-data? I'm looking at the source now, -
but with any code which you see for the first time, this is
not exactly a quick thing to do :)
Thanks,
/mjt
More information about the Unbound-users
mailing list