[Samba] Samba4 internal DNS - can't resolve extrenal hosts

L.P.H. van Belle belle at bazuin.nl
Tue Sep 30 06:42:17 MDT 2014

the resolv.conf. 

always use search and not domain. 
if domain isnt in resolv.conf the firest of search is use for domain. 

and for search you can do this.. 

search internal.domain.tld internal2.domain.tld etc etc. ..
nameserver ... 

if both search and domain are in resolv.conf the last one in resolv.conf wins there can only be one.
( see man resolv.conf ) 


>-----Oorspronkelijk bericht-----
>Van: ariel.atom2 at web2web.at 
>[mailto:samba-bounces at lists.samba.org] Namens Atom2
>Verzonden: dinsdag 30 september 2014 14:22
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba4 internal DNS - can't resolve 
>extrenal hosts
>thanks for your answer - see my comments below.
>Am 30.09.14 um 13:57 schrieb Thomas Mulkey:
>> One other thing I would check is to load the RSAT tools on a 
>windblows box and open up the dns manager to see what DNS 
>looks like on that side of things.  Make sure there is no 
>strangeness going on there.
>RSAT on the windows box is able to connect and also shows the expected 
>DNS server entries; obviously the DNS forwarder is not shown 
>there, but 
>according to my understanding and unless I am mistaken that should be 
>expected as this is only stored in the smb.conf file.
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org 
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Thomas Mulkey
>> Sent: Tuesday, September 30, 2014 7:56 AM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba4 internal DNS - can't resolve 
>extrenal hosts
>> I am a bit of a Samba Newb, but I noticed a couple of things 
>that are different from my test environment which has 2 Samba 
>4 AD DC's.
>> My resolv.conf has
>> search incenta.local
>> nameserver
>search versus domain should not make any difference:
>domain is set to the name of the local domain and would be appended to 
>any host name without domain part in case the search does not yield a 
>search on the other hand allows to add more domains that would be 
>appended in turn (if I recall correctly up to 6), but apart from that 
>has the same functionality
>BTW you can only use one or the other -that is search or domain.
>As to you nameserver entry: I don't understand where your 
>internal Samba 
>DNS forwards unresolvable queries to? As far as I understand Samba's 
>internal DNS can only resolve hosts it knows about, but can't forward 
>queries unless a dns forwarder is defined in smb.conf - and that's the 
>part that's not working for me. I can resolve names internal to the 
>Samba DNS.
>> is my first DC that has the samba internal dns.
>> Incenta.local is my domain name
>> Second
>> You may want to try setting your forwarded to in the 
>smb.conf (dns forwarder, this would rule out any 
>problems with your local dns resolution on pfsense.  I would 
>just verify for sure that the problem is with the samba re-direction
>I had tried that already, but to be on the safe side just did 
>it again. 
>The result is the same: Samba's DNS can't resolve www.google.com even 
>when google's DNS server is specified as the dns forwarder in smb.conf.
>	# host www.google.com
>	Host www.google.com not found: 3(NXDOMAIN)
>And yes, I restarted samba after changing the dns forwarder line in 
>smb.conf and I also used testparm to check whether my changes were 
>propagated and the syntax is o.k.
>In any case thanks for your thoughts.
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org 
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Atom2
>> Sent: Tuesday, September 30, 2014 4:57 AM
>> To: samba at lists.samba.org
>> Subject: [Samba] Samba4 internal DNS - can't resolve extrenal hosts
>> Hello List,
>> I am facing a probelm whereby my Samba4 internal DNS does 
>not resolve external addresses:
>> 	# host www.google.com
>> 	Host www.google.com not found: 3(NXDOMAIN) The answer 
>is immediate - so there's no timeout issue here.
>> Internal resolution as described in the wiki to test the 
>Samba AD DNS functions like
>> 	host -t SRV _kerberos._udp.samba.mydomain.com
>> 	host -t SRV _ldap._tcp.samba.mydomain.com
>> 	host -A storage.samba.mydomain.com
>> work as expected and returns the right answers. The Samba 
>DNS is expected to be authoritative for the samba.mydomain.com 
>subdomain; the hostname of the DC is storage at
>> The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf:
>> 	domain          samba.mydomain.com
>> 	nameserver
>> My smb.conf contains a line
>> 	dns forwarder =
>> where is the IP address of the pfsense router 
>providing DNS services to mydomain.com through DNSmasq.
>> If I add the dns forwarder as a *second* entry to 
>/etc/resolv.conf external name resolution from the DC box 
>works without any problems as it does from any other host in 
>the network using as its DNS server. This to me 
>indicates that my DNS forwarder on pfsense per se does 
>actually work as expected.
>> # drill www.google.com @
>> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606 ;; 
>flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, 
>> ;; www.google.com.      IN      A
>> www.google.com. 38      IN      A
>> www.google.com. 38      IN      A
>> www.google.com. 38      IN      A
>> www.google.com. 38      IN      A
>> www.google.com. 38      IN      A
>> google.com.     28834   IN      NS      ns3.google.com.
>> google.com.     28834   IN      NS      ns2.google.com.
>> google.com.     28834   IN      NS      ns4.google.com.
>> google.com.     28834   IN      NS      ns1.google.com.
>> ns1.google.com. 342425  IN      A
>> ns2.google.com. 342425  IN      A
>> ns3.google.com. 2126    IN      A
>> ns4.google.com. 2126    IN      A
>> ;; Query time: 20 msec
>> ;; SERVER:
>> ;; WHEN: Tue Sep 30 10:53:10 2014
>> ;; MSG SIZE  rcvd: 248
>> That command was executed from the samba box and it works 
>flawlessly and is also very quick further ruling out a timeout 
>issue (NOTE: drill is the FreeBSD equivalent of dig).
>> Some additional information about my installation:
>> 	OS: FreeBSD 10.0
>> 	Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC
>> 	Router with DNS forwarder: pfsense 2.1.5 all of this 
>running under XEN 4.3.2 with gentoo hardened-sources and linux 
>kernel 3.15.10 for Dom0.
>> A debug trace with a higher log level for dns in smb.conf 
>shows that the internal DNS server acknowledges that it is not 
>authoritative for www.google.com (and therefore obviously also 
>confirms the receipt of the
>> query):
>> 	Not authoritative for 'www.google.com', forwarding
>> But a tcpdump on the network interface does not show any 
>attempt from the Samba AD DC to contact the forwarder for 
>www.google.com. There is, however, traffic when 
>is added to resolv.conf and DNS resolution works for external 
>addresses - so tcpdump seems to work as well.
>> Searching the web and asking for help in the IRC channel did 
>not help and currently I am at loss on what's going. I would 
>very much appreciate any help in trying to get to the grounds 
>of this issue.
>> Many thanks in advance
>> Atom2
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list