[Samba] some DNS trouble ...

moss.mose at gmail.com moss.mose at gmail.com
Wed Feb 27 02:35:21 MST 2013 

Hi all and hi Gregory and Ricky !

Thank you for your reply !!

I feel a little bit lost, so I cannot be absolutely sure that the forwarder IS working.
Even more, the problem is somehow somewhere in between DNS and VPN … somewhere ;)

To my samba4 installation: I installed it using the debian packages

According to 
** This came up in another thread in the last week. Make sure the DNS
server specified in the [dns forwarders] is actually serving DNS
queries for the AD host in question. **
I obviously misunderstood the function of the "dns forwarder".
I was in the impression that with it I'm able to tell the DNS server who to ask for requests it is not responsible for … meaning queries for hosts not inside my domain.

I'm not sure if "dns forwarder" is with or without an "s" … all I can say is that, according to some other posts using "testparm -v" to print out all options with their default values, I can't find it at all.

After some reading yesterday as far as I understand it the "dns forwarder" option is only valid and used if I use samba's internal DNS server. As mentioned above I installed samba4 using the debian packages and it seems that, by default, BIND9-DLZ gets installed and configured with it. After finding out that BIND is the one I have to configure in case of DNS issues I did so and set the "forwarders { }" option in named.conf.

Unfortunately I'm still not sure if it is working the way it should and why it doesn't under some circumstances.


Here's a more thorough explanation about my setup and the problem … I posted it in the router's company forum but got no answer yet …

I'm using a TL-ER6020 with both WANs connected and set up in failover mode.
I have a virtual machine acting as a domain controller based on samba4 with bind9-dlz.
The DNS server (bind9-dlz) has a "forwarder" pointing to the router IP which holds the ip addresses of my ISP's DNS servers.
I'm using L2TP over IPsec VPN and set it up by following one of the provided tutorials and the connection seems to work.
When I'm connected to my LAN directly DNS works for internal and external name resolution.
When I connect via VPN to my LAN only internal names are resolved. (I do connect from an outside network)
In both cases I entered the domain controller/DNS server IP manually in the  client's corresponding network settings and did nslookup.
The option "VPN-to-Internet" is enabled.

----------------------------------------------------------------
internal name resolution:

LAN:
----------------
„Lookup“ wurde gestartet …

Trying "adc.lan.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;adc.lan.example.com. IN ANY

;; ANSWER SECTION:
adc.lan.example.com. 900 IN A 192.168.60.11

;; AUTHORITY SECTION:
lan.example.com. 900 IN NS adc.lan.example.com.

Received 62 bytes from 192.168.60.11#53 in 4 ms
----------------


VPN:
----------------
„Lookup“ wurde gestartet …

Trying "adc.lan.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46756
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;adc.lan.example.com. IN ANY

;; ANSWER SECTION:
adc.lan.example.com. 900 IN A 192.168.60.11

;; AUTHORITY SECTION:
lan.example.com. 900 IN NS adc.lan.example.com.

Received 62 bytes from 192.168.60.11#53 in 53 ms
----------------



----------------------------------------------------------------
external name resolution:

LAN:
----------------
„Lookup“ wurde gestartet …

Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26875
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN ANY

;; ANSWER SECTION:
google.com. 55489 IN NS ns4.google.com.
google.com. 55489 IN NS ns3.google.com.
google.com. 55489 IN NS ns2.google.com.
google.com. 55489 IN NS ns1.google.com.

;; AUTHORITY SECTION:
google.com. 55489 IN NS ns2.google.com.
google.com. 55489 IN NS ns1.google.com.
google.com. 55489 IN NS ns3.google.com.
google.com. 55489 IN NS ns4.google.com.

Received 156 bytes from 192.168.60.11#53 in 53 ms
----------------



VPN:
----------------
„Lookup“ wurde gestartet …

Trying "google.com"
Received 28 bytes from 192.168.60.11#53 in 53 ms
Trying "google.com.lan.example.com"
Host google.com not found: 3(NXDOMAIN)
Received 90 bytes from 192.168.60.11#53 in 9 ms
----------------



----------------------------------------------------------------
additional:

VPN (using the router's LAN IP as DNS server in network settings):
(192.168.80.5 is the routers external IP)
----------------
„Lookup“ wurde gestartet …

Trying "google.com"
;; reply from unexpected source: 192.168.80.5#53, expected 192.168.60.1#53
;; reply from unexpected source: 192.168.80.5#53, expected 192.168.60.1#53
;; connection timed out; no servers could be reached
----------------



Well … as I said in the beginning … the problem is somewhere in between DNS and VPN but I'm not able to pinpoint it.
Unfortunately I'm lacking experience in both fields :(

And again: ANY help, suggestions and hints are highly appreciated !

Thanks, 
Oliver



Am 26.02.2013 um 17:29 schrieb Ricky Nance <ricky.nance at weaubleau.k12.mo.us>:

> Correct me if I am wrong, but isn't it dns forwarder = (not dns forwarderS) run your config through samba-tool testparm and see if it complains.
> 
> Ricky
> 
> 
> On Tue, Feb 26, 2013 at 9:11 AM, Gregory Sloop <gregs at sloop.net> wrote:
> 
> mmgc> Well … just found that the options
> mmgc> server role
> mmgc> dns recursive queries
> mmgc> dns forwarders
> 
> mmgc> are ignored … hmmm … well … does anyone know how to achieve the
> mmgc> desired behavior without these options ?
> 
> Perhaps I don't understand what's going on - but are you sure your DNS
> forwarder *IS* working properly? Because if the forwarder wasn't
> servicing the DNS queries, then it would *look* like [dns forwarders]
> wasn't working.
> 
> This came up in another thread in the last week. Make sure the DNS
> server specified in the [dns forwarders] is actually serving DNS
> queries for the AD host in question.
> 
> It's common for BIND to be locked down so it will handle local
> queries for all requests, or remote queries for zones it's "auth" for
> - but not to handle remote requests for non-auth zones.
> 
> [See listen-on and allow-query in BIND docs, among other things.]
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> -- 
>

More information about the samba mailing list