[Samba] Samba4 internal DNS - can't resolve extrenal hosts

Atom2 ariel.atom2 at web2web.at
Tue Sep 30 06:22:19 MDT 2014 

Thomas,
thanks for your answer - see my comments below.

Atom2
Am 30.09.14 um 13:57 schrieb Thomas Mulkey:
> One other thing I would check is to load the RSAT tools on a windblows box and open up the dns manager to see what DNS looks like on that side of things.  Make sure there is no strangeness going on there.
RSAT on the windows box is able to connect and also shows the expected 
DNS server entries; obviously the DNS forwarder is not shown there, but 
according to my understanding and unless I am mistaken that should be 
expected as this is only stored in the smb.conf file.

>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Thomas Mulkey
> Sent: Tuesday, September 30, 2014 7:56 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba4 internal DNS - can't resolve extrenal hosts
>
> I am a bit of a Samba Newb, but I noticed a couple of things that are different from my test environment which has 2 Samba 4 AD DC's.
>
> My resolv.conf has
>
> search incenta.local
> nameserver 10.0.2.150
search versus domain should not make any difference:
domain is set to the name of the local domain and would be appended to 
any host name without domain part in case the search does not yield a 
result;
search on the other hand allows to add more domains that would be 
appended in turn (if I recall correctly up to 6), but apart from that 
has the same functionality

BTW you can only use one or the other -that is search or domain.

As to you nameserver entry: I don't understand where your internal Samba 
DNS forwards unresolvable queries to? As far as I understand Samba's 
internal DNS can only resolve hosts it knows about, but can't forward 
queries unless a dns forwarder is defined in smb.conf - and that's the 
part that's not working for me. I can resolve names internal to the 
Samba DNS.
>
> 10.0.2.150 is my first DC that has the samba internal dns.
> Incenta.local is my domain name
>
> Second
> You may want to try setting your forwarded to 8.8.8.8 in the smb.conf (dns forwarder 8.8.8.8, this would rule out any problems with your local dns resolution on pfsense.  I would just verify for sure that the problem is with the samba re-direction
I had tried that already, but to be on the safe side just did it again. 
The result is the same: Samba's DNS can't resolve www.google.com even 
when google's DNS server is specified as the dns forwarder in smb.conf.
	# host www.google.com
	Host www.google.com not found: 3(NXDOMAIN)

And yes, I restarted samba after changing the dns forwarder line in 
smb.conf and I also used testparm to check whether my changes were 
propagated and the syntax is o.k.

In any case thanks for your thoughts.

Atom2
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Atom2
> Sent: Tuesday, September 30, 2014 4:57 AM
> To: samba at lists.samba.org
> Subject: [Samba] Samba4 internal DNS - can't resolve extrenal hosts
>
> Hello List,
> I am facing a probelm whereby my Samba4 internal DNS does not resolve external addresses:
> 	# host www.google.com
> 	Host www.google.com not found: 3(NXDOMAIN) The answer is immediate - so there's no timeout issue here.
>
> Internal resolution as described in the wiki to test the Samba AD DNS functions like
> 	host -t SRV _kerberos._udp.samba.mydomain.com
> 	host -t SRV _ldap._tcp.samba.mydomain.com
> 	host -A storage.samba.mydomain.com
> work as expected and returns the right answers. The Samba DNS is expected to be authoritative for the samba.mydomain.com subdomain; the hostname of the DC is storage at 192.168.19.13.
>
> The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf:
> 	domain          samba.mydomain.com
> 	nameserver      192.168.19.13
>
> My smb.conf contains a line
> 	dns forwarder = 192.168.19.1
> where 192.168.19.1 is the IP address of the pfsense router providing DNS services to mydomain.com through DNSmasq.
>
> If I add the dns forwarder as a *second* entry to /etc/resolv.conf external name resolution from the DC box works without any problems as it does from any other host in the network using 192.168.19.1 as its DNS server. This to me indicates that my DNS forwarder on pfsense per se does actually work as expected.
>
> # drill www.google.com @192.168.19.1
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION:
> ;; www.google.com.      IN      A
>
> ;; ANSWER SECTION:
> www.google.com. 38      IN      A       173.194.113.81
> www.google.com. 38      IN      A       173.194.113.82
> www.google.com. 38      IN      A       173.194.113.83
> www.google.com. 38      IN      A       173.194.113.84
> www.google.com. 38      IN      A       173.194.113.80
>
> ;; AUTHORITY SECTION:
> google.com.     28834   IN      NS      ns3.google.com.
> google.com.     28834   IN      NS      ns2.google.com.
> google.com.     28834   IN      NS      ns4.google.com.
> google.com.     28834   IN      NS      ns1.google.com.
>
> ;; ADDITIONAL SECTION:
> ns1.google.com. 342425  IN      A       216.239.32.10
> ns2.google.com. 342425  IN      A       216.239.34.10
> ns3.google.com. 2126    IN      A       216.239.36.10
> ns4.google.com. 2126    IN      A       216.239.38.10
>
> ;; Query time: 20 msec
> ;; SERVER: 192.168.19.1
> ;; WHEN: Tue Sep 30 10:53:10 2014
> ;; MSG SIZE  rcvd: 248
>
> That command was executed from the samba box and it works flawlessly and is also very quick further ruling out a timeout issue (NOTE: drill is the FreeBSD equivalent of dig).
>
> Some additional information about my installation:
> 	OS: FreeBSD 10.0
> 	Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC
> 	Router with DNS forwarder: pfsense 2.1.5 all of this running under XEN 4.3.2 with gentoo hardened-sources and linux kernel 3.15.10 for Dom0.
>
> A debug trace with a higher log level for dns in smb.conf shows that the internal DNS server acknowledges that it is not authoritative for www.google.com (and therefore obviously also confirms the receipt of the
> query):
> 	Not authoritative for 'www.google.com', forwarding
>
> But a tcpdump on the network interface does not show any attempt from the Samba AD DC to contact the forwarder for www.google.com. There is, however, traffic when 192.168.19.1 is added to resolv.conf and DNS resolution works for external addresses - so tcpdump seems to work as well.
>
> Searching the web and asking for help in the IRC channel did not help and currently I am at loss on what's going. I would very much appreciate any help in trying to get to the grounds of this issue.
>
> Many thanks in advance
>
> Atom2
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list