[Samba] BIND9_DLZ CNAME Records Not Resolving from Windows Workstations

Thomas Simmons twsnnva at gmail.com
Fri Feb 15 12:35:01 MST 2013

Hello Greg,

It was actually the allow-query directive that you noted in your previous

Thanks for your help!

On Fri, Feb 15, 2013 at 2:11 PM, Gregory Sloop <gregs at sloop.net> wrote:

>  -SNIP-
> ---
> Provided the nslookup trace show that the server you expect isn't
> giving answers, rather than some other problem...
> Is BIND configured to answer queries from hosts in the IP
> block that the station is in? [See listen-on and allow-query in BIND
> docs]
> The server can answer queries from the Windows workstation. This vpn
> resolution test verifies this:
> Just to be sure the Windows workstation is using the correct DNS, I alter
> the record for my vpn server to a nonsense IP of
> But it's authoritative for that zone. [It has to answer (practically), by
> definition, for auth zones.]
> That doesn't mean it's going to answer queries for just anyone for zones
> it's not authoritative for.
> I'm no BIND guru, but I think if you do some searches you'll find there
> are options/changes that will allow it to resolve queries for some hosts
> for non-auth zones.
> I wish I could tell you just what options to change, but I've run into
> this kind of thing before and I'm pretty sure it's a BIND config issue -
> and that BIND isn't configured to answer queries to hosts other than itself
> for non-auth zones.
> -Greg

More information about the samba mailing list