[Samba] BIND9_DLZ CNAME Records Not Resolving from Windows Workstations

Thomas Simmons twsnnva at gmail.com
Thu Feb 14 19:20:09 MST 2013

In an effort to get MX and CNAME records working, I have migrated from
Samba's internal DNS to bind9_dlz. I am now seeing strange behavior where
CNAME records resolve correctly on the S4 DC, but not from workstations.
Please see the case below where I have foo.internal.testdom.com aliased to
google.com using a CNAME record. I do not understand why this is occurring
This should work, correct? Does anyone see something that I am missing? I
am completely stumped and greatly appreciate any input. Thanks, Thomas.

First, I ensure the Windows system and the DC are pointing to the same DNS
server (DC is pointing to itself)...

C:\Users\Admin1>ipconfig /all
Windows IP Configuration
   DNS Suffix Search List. . . . . . : internal.testdom.com
   DNS Servers . . . . . . . . . . . :

[root at DC1 ~]# cat /etc/resolv.conf
search internal.testdom.com

Just to be sure the Windows workstation is using the correct DNS, I alter
the record for my vpn server to a nonsense IP of

C:\Users\Admin1>ping vpn.internal.testdom.com -n 1
Pinging vpn.internal.testdom.com [] with 32 bytes of data:
Request timed out.
Ping statistics for
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
[root at DC1 ~]# ping vpn.internal.testdom.com -c 1
PING vpn.internal.testdom.com ( 56(84) bytes of data.
--- vpn.internal.testdom.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

Works as expected. Now I test the CNAME on the DC (samba-tool dns query,
dig, ping)...

[root at DC1 ~]# samba-tool dns query dc1 internal.testdom.com foo CNAME
  Name=, Records=1, Children=0
    CNAME: google.com. (flags=f0, serial=62, ttl=0)
[root at dc1 ~]# dig foo.internal.testdom.com CNAME

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>>
foo.internal.testdom.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;foo.internal.testdom.com.      IN      CNAME

foo.internal.testdom.com. 0     IN      CNAME   google.com.

internal.testdom.com.   900     IN      NS      dc1.internal.testdom.com.

dc1.internal.testdom.com. 900 IN     A

;; Query time: 2 msec
;; WHEN: Thu Feb 14 21:01:24 2013
;; MSG SIZE  rcvd: 100

[root at DC1 ~]# ping foo.internal.testdom.com -c 1
PING google.com ( 56(84) bytes of data.
64 bytes from iad23s08-in-f2.1e100.net ( icmp_seq=1 ttl=54
time=18.6 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 20ms
rtt min/avg/max/mdev = 18.696/18.696/18.696/0.000 ms

Perfect! Now from the Windows workstation.

C:\Users\Admin1>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.

C:\Users\Admin1>ping foo.internal.testdom.com
Ping request could not find host foo.internal.testdom.com. Please check the
and try again.

