[Samba] dnsupdate_nameupdate_done - Failed DNS update

Fri Sep 23 13:56:24 UTC 2016

On Fri, 23 Sep 2016 14:40:56 +0100
Jonathan Hunter via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> All 3 of my DCs regularly display an error in syslog almost exactly
> every 10 minutes. They have been doing this for quite some time, and
> I have so far ignored the message as everything else DNS-wise seemed
> to mostly be working - but I figured it was worth getting to the
> bottom of it if I can. So this isn't new at all but rather something
> that has been present for some time.
> 
> I am using the internal Samba DNS server, currently with Samba 4.5.0.
> The message is as follows, every 10 minutes (I have pasted in from
> all 3 DCs here):
> 
> Sep 23 13:03:54 dc1 samba[13117]: [2016/09/23 13:03:54.867360,  0]
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Sep 23 13:03:54 dc1
> samba[13117]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS
> update - with error code 5
> 
> Sep 23 13:00:11 dc2 samba[901]: [2016/09/23 13:00:11.584679,  0]
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Sep 23 13:00:11 dc2
> samba[901]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS update
> - with error code 10
> 
> Sep 23 13:05:28 dc3 samba[897]: [2016/09/23 13:05:28.800364,  0]
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Sep 23 13:05:28 dc3
> samba[897]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS update
> - with error code 1
> 
> The precise error codes vary (I have had 1, 6, 10, 110 recently) but
> I do get some sort of message every 10 minutes, and the error code
> usually stays the same on a particular DC. If it makes a difference,
> DC1 and DC2 are in site A, and DC3 is at site B, there is full
> connectivity between them all (or at least, there should be).
> 
> I've tried tcpdump and wireshark to figure out what's going on, but I
> can't seem to spot any form of DNS request coming in that would be an
> update. The most I can see via tcpdump at any time I've looked are
> some queries that return NXDOMAIN - e.g. there are frequent ones from
> an VMWare ESXi server querying for
> _kerberos-master.udp.MYDOMAIN.ORG.UK as per
> https://communities.vmware.com/thread/491621 and getting NXDOMAIN -
> but I wouldn't have thought that these queries would constitute a
> "DNS update" that would fail?
> 
> My debugging method so far has been to run tcpdump against port 53 -
> but either I am somehow managing to not see the failing DNS packet
> when I look at the results, or the DNS update arrives at the DC some
> other way. Looking at the code in dns_update.c it looks like there
> may be some form of regular DNS check, that is failing in my case?
> 
> Does anybody know
>   - if I can turn debugging on for just this DNS functionality? I
> expect the log file here to be massive as a DC is also a DNS server..
> but hopefully that will give me more of a clue as to what "update" is
> failing?
>   - if there is some other way I might be able to capture / check this
> traffic?
>   - what else I should maybe be looking for in my packet dumps or
> elsewhere?
> 
> Are the error codes regular UNIX values, in which case I believe
> 1 = EPERM (Operation not permitted)
> 6 = ENXIO (No such device or address)
> 10 = ECHILD (No child processes)
> 110 = ETIMEDOUT (Connection timed out)
> This would explain what the errors mean; but I don't know why they are
> occurring, and so regularly..
> 
> Thank you for any pointers! :)
> 
> Jonathan
> 

Have you set up the reverse zone ?
The logs appear to show an update happening followed by one failing,
forward zone being allowed, reverse zone failing ??

Rowland