[Samba] Samba4 internal DNS - can't resolve extrenal hosts
Atom2
ariel.atom2 at web2web.at
Tue Sep 30 02:56:33 MDT 2014
Hello List,
I am facing a probelm whereby my Samba4 internal DNS does not resolve
external addresses:
# host www.google.com
Host www.google.com not found: 3(NXDOMAIN)
The answer is immediate - so there's no timeout issue here.
Internal resolution as described in the wiki to test the Samba AD DNS
functions like
host -t SRV _kerberos._udp.samba.mydomain.com
host -t SRV _ldap._tcp.samba.mydomain.com
host -A storage.samba.mydomain.com
work as expected and returns the right answers. The Samba DNS is
expected to be authoritative for the samba.mydomain.com subdomain; the
hostname of the DC is storage at 192.168.19.13.
The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf:
domain samba.mydomain.com
nameserver 192.168.19.13
My smb.conf contains a line
dns forwarder = 192.168.19.1
where 192.168.19.1 is the IP address of the pfsense router providing DNS
services to mydomain.com through DNSmasq.
If I add the dns forwarder as a *second* entry to /etc/resolv.conf
external name resolution from the DC box works without any problems as
it does from any other host in the network using 192.168.19.1 as its DNS
server. This to me indicates that my DNS forwarder on pfsense per se
does actually work as expected.
# drill www.google.com @192.168.19.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;; www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 38 IN A 173.194.113.81
www.google.com. 38 IN A 173.194.113.82
www.google.com. 38 IN A 173.194.113.83
www.google.com. 38 IN A 173.194.113.84
www.google.com. 38 IN A 173.194.113.80
;; AUTHORITY SECTION:
google.com. 28834 IN NS ns3.google.com.
google.com. 28834 IN NS ns2.google.com.
google.com. 28834 IN NS ns4.google.com.
google.com. 28834 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 342425 IN A 216.239.32.10
ns2.google.com. 342425 IN A 216.239.34.10
ns3.google.com. 2126 IN A 216.239.36.10
ns4.google.com. 2126 IN A 216.239.38.10
;; Query time: 20 msec
;; SERVER: 192.168.19.1
;; WHEN: Tue Sep 30 10:53:10 2014
;; MSG SIZE rcvd: 248
That command was executed from the samba box and it works flawlessly and
is also very quick further ruling out a timeout issue (NOTE: drill is
the FreeBSD equivalent of dig).
Some additional information about my installation:
OS: FreeBSD 10.0
Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC
Router with DNS forwarder: pfsense 2.1.5
all of this running under XEN 4.3.2 with gentoo hardened-sources and
linux kernel 3.15.10 for Dom0.
A debug trace with a higher log level for dns in smb.conf shows that the
internal DNS server acknowledges that it is not authoritative for
www.google.com (and therefore obviously also confirms the receipt of the
query):
Not authoritative for 'www.google.com', forwarding
But a tcpdump on the network interface does not show any attempt from
the Samba AD DC to contact the forwarder for www.google.com. There is,
however, traffic when 192.168.19.1 is added to resolv.conf and DNS
resolution works for external addresses - so tcpdump seems to work as well.
Searching the web and asking for help in the IRC channel did not help
and currently I am at loss on what's going. I would very much appreciate
any help in trying to get to the grounds of this issue.
Many thanks in advance
Atom2
More information about the samba
mailing list