[Samba] Samba4 internal DNS - can't resolve extrenal hosts

Atom2 ariel.atom2 at web2web.at
Tue Sep 30 02:56:33 MDT 2014 

Hello List,
I am facing a probelm whereby my Samba4 internal DNS does not resolve 
external addresses:
	# host www.google.com
	Host www.google.com not found: 3(NXDOMAIN)
The answer is immediate - so there's no timeout issue here.

Internal resolution as described in the wiki to test the Samba AD DNS 
functions like
	host -t SRV _kerberos._udp.samba.mydomain.com
	host -t SRV _ldap._tcp.samba.mydomain.com
	host -A storage.samba.mydomain.com
work as expected and returns the right answers. The Samba DNS is 
expected to be authoritative for the samba.mydomain.com subdomain; the 
hostname of the DC is storage at 192.168.19.13.

The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf:
	domain          samba.mydomain.com
	nameserver      192.168.19.13

My smb.conf contains a line
	dns forwarder = 192.168.19.1
where 192.168.19.1 is the IP address of the pfsense router providing DNS 
services to mydomain.com through DNSmasq.

If I add the dns forwarder as a *second* entry to /etc/resolv.conf 
external name resolution from the DC box works without any problems as 
it does from any other host in the network using 192.168.19.1 as its DNS 
server. This to me indicates that my DNS forwarder on pfsense per se 
does actually work as expected.

# drill www.google.com @192.168.19.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;; www.google.com.      IN      A

;; ANSWER SECTION:
www.google.com. 38      IN      A       173.194.113.81
www.google.com. 38      IN      A       173.194.113.82
www.google.com. 38      IN      A       173.194.113.83
www.google.com. 38      IN      A       173.194.113.84
www.google.com. 38      IN      A       173.194.113.80

;; AUTHORITY SECTION:
google.com.     28834   IN      NS      ns3.google.com.
google.com.     28834   IN      NS      ns2.google.com.
google.com.     28834   IN      NS      ns4.google.com.
google.com.     28834   IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 342425  IN      A       216.239.32.10
ns2.google.com. 342425  IN      A       216.239.34.10
ns3.google.com. 2126    IN      A       216.239.36.10
ns4.google.com. 2126    IN      A       216.239.38.10

;; Query time: 20 msec
;; SERVER: 192.168.19.1
;; WHEN: Tue Sep 30 10:53:10 2014
;; MSG SIZE  rcvd: 248

That command was executed from the samba box and it works flawlessly and 
is also very quick further ruling out a timeout issue (NOTE: drill is 
the FreeBSD equivalent of dig).

Some additional information about my installation:
	OS: FreeBSD 10.0
	Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC
	Router with DNS forwarder: pfsense 2.1.5
all of this running under XEN 4.3.2 with gentoo hardened-sources and 
linux kernel 3.15.10 for Dom0.

A debug trace with a higher log level for dns in smb.conf shows that the 
internal DNS server acknowledges that it is not authoritative for 
www.google.com (and therefore obviously also confirms the receipt of the 
query):
	Not authoritative for 'www.google.com', forwarding

But a tcpdump on the network interface does not show any attempt from 
the Samba AD DC to contact the forwarder for www.google.com. There is, 
however, traffic when 192.168.19.1 is added to resolv.conf and DNS 
resolution works for external addresses - so tcpdump seems to work as well.

Searching the web and asking for help in the IRC channel did not help 
and currently I am at loss on what's going. I would very much appreciate 
any help in trying to get to the grounds of this issue.

Many thanks in advance

Atom2

More information about the samba mailing list