[Samba] Samba4 internal DNS - can't resolve extrenal hosts

Thomas Mulkey tmulkey at incentafcu.org
Tue Sep 30 05:55:38 MDT 2014 

I am a bit of a Samba Newb, but I noticed a couple of things that are different from my test environment which has 2 Samba 4 AD DC's.

My resolv.conf has

search incenta.local 
nameserver 10.0.2.150 

10.0.2.150 is my first DC that has the samba internal dns.
Incenta.local is my domain name

Second
You may want to try setting your forwarded to 8.8.8.8 in the smb.conf (dns forwarder 8.8.8.8, this would rule out any problems with your local dns resolution on pfsense.  I would just verify for sure that the problem is with the samba re-direction


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Atom2
Sent: Tuesday, September 30, 2014 4:57 AM
To: samba at lists.samba.org
Subject: [Samba] Samba4 internal DNS - can't resolve extrenal hosts

Hello List,
I am facing a probelm whereby my Samba4 internal DNS does not resolve external addresses:
	# host www.google.com
	Host www.google.com not found: 3(NXDOMAIN) The answer is immediate - so there's no timeout issue here.

Internal resolution as described in the wiki to test the Samba AD DNS functions like
	host -t SRV _kerberos._udp.samba.mydomain.com
	host -t SRV _ldap._tcp.samba.mydomain.com
	host -A storage.samba.mydomain.com
work as expected and returns the right answers. The Samba DNS is expected to be authoritative for the samba.mydomain.com subdomain; the hostname of the DC is storage at 192.168.19.13.

The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf:
	domain          samba.mydomain.com
	nameserver      192.168.19.13

My smb.conf contains a line
	dns forwarder = 192.168.19.1
where 192.168.19.1 is the IP address of the pfsense router providing DNS services to mydomain.com through DNSmasq.

If I add the dns forwarder as a *second* entry to /etc/resolv.conf external name resolution from the DC box works without any problems as it does from any other host in the network using 192.168.19.1 as its DNS server. This to me indicates that my DNS forwarder on pfsense per se does actually work as expected.

# drill www.google.com @192.168.19.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION:
;; www.google.com.      IN      A

;; ANSWER SECTION:
www.google.com. 38      IN      A       173.194.113.81
www.google.com. 38      IN      A       173.194.113.82
www.google.com. 38      IN      A       173.194.113.83
www.google.com. 38      IN      A       173.194.113.84
www.google.com. 38      IN      A       173.194.113.80

;; AUTHORITY SECTION:
google.com.     28834   IN      NS      ns3.google.com.
google.com.     28834   IN      NS      ns2.google.com.
google.com.     28834   IN      NS      ns4.google.com.
google.com.     28834   IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 342425  IN      A       216.239.32.10
ns2.google.com. 342425  IN      A       216.239.34.10
ns3.google.com. 2126    IN      A       216.239.36.10
ns4.google.com. 2126    IN      A       216.239.38.10

;; Query time: 20 msec
;; SERVER: 192.168.19.1
;; WHEN: Tue Sep 30 10:53:10 2014
;; MSG SIZE  rcvd: 248

That command was executed from the samba box and it works flawlessly and is also very quick further ruling out a timeout issue (NOTE: drill is the FreeBSD equivalent of dig).

Some additional information about my installation:
	OS: FreeBSD 10.0
	Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC
	Router with DNS forwarder: pfsense 2.1.5 all of this running under XEN 4.3.2 with gentoo hardened-sources and linux kernel 3.15.10 for Dom0.

A debug trace with a higher log level for dns in smb.conf shows that the internal DNS server acknowledges that it is not authoritative for www.google.com (and therefore obviously also confirms the receipt of the
query):
	Not authoritative for 'www.google.com', forwarding

But a tcpdump on the network interface does not show any attempt from the Samba AD DC to contact the forwarder for www.google.com. There is, however, traffic when 192.168.19.1 is added to resolv.conf and DNS resolution works for external addresses - so tcpdump seems to work as well.

Searching the web and asking for help in the IRC channel did not help and currently I am at loss on what's going. I would very much appreciate any help in trying to get to the grounds of this issue.

Many thanks in advance

Atom2
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list