[Samba] DNS Suddenly breaking
mathias dufresne
infractory at gmail.com
Fri Jul 1 09:55:47 UTC 2016
Okidoki, you are not blocked by some firewall on both your DC (DC2 is able
to do recursion, DC1 is able to contact google's DNS directly).
The issue comes from your Samba which refuses to do recursion even with
forwarder configured into smb.conf (at least I believe you still have dns
forwarder in smb.conf).
Stupid question: did you tried to reboot DC1?
2016-06-30 21:00 GMT+02:00 Garland McAlexander <garland at linear.nyc>:
> bus-ny-dc-01 ~]# dig google.com
>
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> google.com
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 779
>
> ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; WARNING: recursion requested but not available
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;google.com. IN A
>
>
> ;; Query time: 0 msec
>
> ;; SERVER: 192.168.1.236#53(192.168.1.236)
>
> ;; WHEN: Thu Jun 30 14:51:57 EDT 2016
>
> ;; MSG SIZE rcvd: 39
>
>
>
> ----------------
>
>
> bus-ny-dc-01 ~]# dig @8.8.8.8 google.com
>
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @8.8.8.8 google.com
>
> ; (1 server found)
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16101
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 512
>
> ;; QUESTION SECTION:
>
> ;google.com. IN A
>
>
> ;; ANSWER SECTION:
>
> google.com. 39 IN A 172.217.0.46
>
>
> ;; Query time: 19 msec
>
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>
> ;; WHEN: Thu Jun 30 14:53:27 EDT 2016
>
> ;; MSG SIZE rcvd: 55
>
>
>
> ---------
>
> bus-ny-dc-02 ~]# dig google.com
>
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> google.com
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39987
>
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 512
>
> ;; QUESTION SECTION:
>
> ;google.com. IN A
>
>
> ;; ANSWER SECTION:
>
> google.com. 30 IN A 172.217.0.46
>
>
> ;; Query time: 4 msec
>
> ;; SERVER: 192.168.1.235#53(192.168.1.235)
>
> ;; WHEN: Thu Jun 30 14:55:20 EDT 2016
>
> ;; MSG SIZE rcvd: 55
>
>
> ----------
>
>
> It looks like it's failing at the first dig, but my resolv looks good...
>
> On Thu, Jun 30, 2016 at 10:11 AM, mathias dufresne <infractory at gmail.com>
> wrote:
>
>> from both DC:
>> dig google.com
>> dig @8.8.8.8 google.com
>>
>> First dig will use resolvers declared into /etc/resolv.conf.
>> Second dig forces usage of 8.8.8.8.
>>
>> Both commands should reply the same things, on all DC.
>>
>> 2016-06-30 15:58 GMT+02:00 lingpanda101 at gmail.com <lingpanda101 at gmail.com
>> >:
>>
>> > On 6/30/2016 9:57 AM, Garland McAlexander wrote:
>> >
>> >> nslookup google.com <http://google.com>
>> >> ;; Got recursion not available from 192.168.1.236, trying next server
>> >> Server: 192.168.1.235
>> >> Address: 192.168.1.235#53
>> >>
>> >> Non-authoritative answer:
>> >> Name: google.com <http://google.com>
>> >> Address: 172.217.4.78
>> >>
>> >>
>> >> Interesting little bit about the "Recursion not available"
>> >>
>> >>
>> >> On Thu, Jun 30, 2016 at 9:52 AM, lingpanda101 at gmail.com <mailto:
>> >> lingpanda101 at gmail.com> <lingpanda101 at gmail.com <mailto:
>> >> lingpanda101 at gmail.com>> wrote:
>> >>
>> >> On 6/30/2016 9:41 AM, Garland McAlexander wrote:
>> >>
>> >> Hosts:
>> >>
>> >> 127.0.0.1 localhost localhost.localdomain localhost4
>> >> localhost4.localdomain4
>> >> ::1 localhost localhost.localdomain localhost6
>> >> localhost6.localdomain6
>> >> 192.168.1.235 bus-ny-dc-01.domain.domain.com
>> >> <http://bus-ny-dc-01.domain.domain.com>
>> >> <http://bus-ny-dc-01.domain.domain.com> bus-ny-dc-01
>> >>
>> >>
>> >> Resolv:
>> >>
>> >> # Generated by NetworkManager
>> >> search domain.domain.com <http://domain.domain.com>
>> >> <http://domain.domain.com>
>> >> nameserver 192.168.1.236
>> >> nameserver 192.168.1.235
>> >>
>> >> Smb.conf:
>> >>
>> >> # Global parameters
>> >> [global]
>> >> workgroup = DOMAIN
>> >> realm = DOMAIN.DOMAIN.COM <http://DOMAIN.DOMAIN.COM>
>> >> <http://DOMAIN.DOMAIN.COM>
>> >> netbios name = BUS-NY-DC-01
>> >> server role = active directory domain controller
>> >> dns forwarder = 8.8.8.8
>> >> printing = bsd
>> >> printcap name = /dev/null
>> >>
>> >> [netlogon]
>> >> path = /var/lib/samba/sysvol/domain.domain.com/scripts
>> >> <http://domain.domain.com/scripts>
>> >> <http://domain.domain.com/scripts>
>> >> read only = No
>> >>
>> >> [sysvol]
>> >> path = /var/lib/samba/sysvol
>> >> read only = No
>> >>
>> >>
>> >>
>> >> On Thu, Jun 30, 2016 at 9:36 AM, lingpanda101 at gmail.com
>> >> <mailto:lingpanda101 at gmail.com> <mailto:lingpanda101 at gmail.com
>> >> <mailto:lingpanda101 at gmail.com>> <lingpanda101 at gmail.com
>> >> <mailto:lingpanda101 at gmail.com> <mailto:lingpanda101 at gmail.com
>> >> <mailto:lingpanda101 at gmail.com>>> wrote:
>> >>
>> >> On 6/30/2016 9:25 AM, Garland McAlexander wrote:
>> >>
>> >> Yes, it's set up with 8.8.8.8
>> >>
>> >> I'm able to ping it without issues, jut not able to
>> >> resolve
>> >> anything
>> >> externally.
>> >>
>> >> On Thu, Jun 30, 2016 at 9:09 AM, mathias dufresne
>> >> <infractory at gmail.com <mailto:infractory at gmail.com>
>> >> <mailto:infractory at gmail.com <mailto:infractory at gmail.com>>>
>> >> wrote:
>> >>
>> >> To get recursion working with internal DNS you
>> >> only need
>> >> to set up:
>> >> dns forwarder = <IP of your main DNS>
>> >>
>> >> Is it configured?
>> >>
>> >> If yes and packets can go from your broken DC to
>> "your
>> >> main DNS" using TCP
>> >> and also UDP, there is an issue.
>> >>
>> >> 2016-06-30 14:58 GMT+02:00 Garland McAlexander
>> >> <garland at linear.nyc>:
>> >>
>> >> It's samba internal DNS. Only one DNS zone,
>> >> and it's
>> >> domain.domain.tld.
>> >> It'll function perfectly, and then cease to
>> >> function
>> >> at a random time.
>> >>
>> >> On Thu, Jun 30, 2016 at 5:31 AM, Mueller
>> >> <mueller at tropenklinik.de
>> >> <mailto:mueller at tropenklinik.de>
>> >> <mailto:mueller at tropenklinik.de
>> >> <mailto:mueller at tropenklinik.de>>> wrote:
>> >>
>> >> What kind of DNS, bind or internal?
>> >> With bind an samba 4.3.4 I have an issue
>> and I
>> >> have to restart bind an
>> >> avahi:
>> >> s4slave named-sdb[8750]: error (connection
>> >> refused) resolving '
>> >> thefreelanceforum.com/AAAA/IN
>> >> <http://thefreelanceforum.com/AAAA/IN>
>> >> <http://thefreelanceforum.com/AAAA/IN>':
>> >> 192.12.94.30#53.
>> >>
>> >> Only a restart of bind resolves this.
>> >>
>> >>
>> >> EDV Daniel Müller
>> >>
>> >> Leitung EDV
>> >> Tropenklinik Paul-Lechler-Krankenhaus
>> >> Paul-Lechler-Str. 24
>> >> 72076 Tübingen
>> >> Tel.: 07071/206-463, Fax: 07071/206-499
>> >> Email: mueller at tropenklinik.de
>> >> <mailto:mueller at tropenklinik.de>
>> >> <mailto:mueller at tropenklinik.de
>> >> <mailto:mueller at tropenklinik.de>>
>> >> www.tropenklinik.de <http://www.tropenklinik.de>
>> >> <http://www.tropenklinik.de>
>> >> www.bauen-sie-mit.tropenklinik.de
>> >> <http://www.bauen-sie-mit.tropenklinik.de>
>> >> <http://www.bauen-sie-mit.tropenklinik.de>
>> >>
>> >>
>> >>
>> >>
>> >> -----Ursprüngliche Nachricht-----
>> >> Von: Garland McAlexander
>> >> [mailto:garland at linear.nyc
>> >> <mailto:garland at linear.nyc>
>> >> <mailto:garland at linear.nyc
>> >> <mailto:garland at linear.nyc>>]
>> >> Gesendet: Donnerstag, 30. Juni 2016 10:52
>> >> An: samba at lists.samba.org
>> >> <mailto:samba at lists.samba.org>
>> >> <mailto:samba at lists.samba.org
>> >>
>> >> <mailto:samba at lists.samba.org>>
>> >>
>> >> Betreff: [Samba] DNS Suddenly breaking
>> >>
>> >> Hi All,
>> >>
>> >> I've got a newly created Samba4 domain.
>> I'm
>> >> running into a strange
>> >>
>> >> issue
>> >>
>> >> where my internal DNS on my first domain
>> >> controller is "breaking"
>> >>
>> >> causing
>> >>
>> >> it to not resolve any external hosts.
>> >> It'll still
>> >> resolve internal hosts
>> >> without issue. This is only on the first
>> >> DC, the
>> >> second DC is running
>> >> perfectly fine and can access external
>> hosts
>> >> without issue.
>> >>
>> >> There is absolutely NOTHING in the logs
>> about
>> >> this. I cannot find where
>> >> this is going wrong, and sometimes it
>> >> seems that
>> >> it'll randomly fix
>> >>
>> >> itself.
>> >>
>> >> Any help is sincerely appreciated.
>> >> --
>> >> To unsubscribe from this list go to the
>> >> following
>> >> URL and read the
>> >> instructions:
>> >> https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >>
>> >> --
>> >> *Sincerely,*
>> >> *Garland McAlexander*
>> >> *O: 212-271-0198 <tel:212-271-0198>
>> >> <tel:212-271-0198 <tel:212-271-0198>>*
>> >> *C: 321-315-9948 <tel:321-315-9948>
>> >> <tel:321-315-9948 <tel:321-315-9948>>*
>> >> --
>> >> To unsubscribe from this list go to the
>> >> following URL
>> >> and read the
>> >> instructions:
>> >> https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >>
>> >>
>> >> Can you post your hosts file, resolv.conf and smb.conf
>> >> from DC1?
>> >>
>> >> -- -James
>> >>
>> >>
>> >>
>> >> -- To unsubscribe from this list go to the following
>> >> URL and read the
>> >> instructions:
>> https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >>
>> >>
>> >> -- /Sincerely,/
>> >> /Garland McAlexander/
>> >> /O: 212-271-0198 <tel:212-271-0198>/
>> >> /C: 321-315-9948 <tel:321-315-9948>/
>> >>
>> >> Nothing out of the ordinary. Does the issue happen on the server
>> >> side or client side? Can you run 'nslookup google.com
>> >> <http://google.com>' from the DC? It should look similar to this.
>> >>
>> >> nslookup google.com <http://google.com>
>> >> Server: 192.168.1.236
>> >> Address: 192.168.1.236#53
>> >>
>> >> Non-authoritative answer:
>> >> Name: google.com <http://google.com>
>> >> Address: 172.217.2.206
>> >>
>> >> Can you rerun the same if it also happens from the client side?
>> >>
>> >>
>> >>
>> >> -- -James
>> >>
>> >> -- To unsubscribe from this list go to the following URL and
>> read
>> >> the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> /Sincerely,/
>> >> /Garland McAlexander/
>> >> /O: 212-271-0198/
>> >> /C: 321-315-9948/
>> >>
>> >> This tells me the issue is on DC2 and not DC1. Can you post the same
>> > configs from DC2?
>> >
>> >
>> >
>> > --
>> > -James
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> *Sincerely,*
> *Garland McAlexander*
> *O: 212-271-0198 <212-271-0198>*
> *C: 321-315-9948 <321-315-9948>*
>
>
More information about the samba
mailing list