[Samba] dnsupdate_nameupdate_done - Failed DNS update

Fri Sep 23 14:15:17 UTC 2016

On 9/23/2016 9:56 AM, Rowland Penny via samba wrote:
> On Fri, 23 Sep 2016 14:40:56 +0100
> Jonathan Hunter via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> All 3 of my DCs regularly display an error in syslog almost exactly
>> every 10 minutes. They have been doing this for quite some time, and
>> I have so far ignored the message as everything else DNS-wise seemed
>> to mostly be working - but I figured it was worth getting to the
>> bottom of it if I can. So this isn't new at all but rather something
>> that has been present for some time.
>>
>> I am using the internal Samba DNS server, currently with Samba 4.5.0.
>> The message is as follows, every 10 minutes (I have pasted in from
>> all 3 DCs here):
>>
>> Sep 23 13:03:54 dc1 samba[13117]: [2016/09/23 13:03:54.867360,  0]
>> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
>> Sep 23 13:03:54 dc1
>> samba[13117]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS
>> update - with error code 5
>>
>> Sep 23 13:00:11 dc2 samba[901]: [2016/09/23 13:00:11.584679,  0]
>> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
>> Sep 23 13:00:11 dc2
>> samba[901]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS update
>> - with error code 10
>>
>> Sep 23 13:05:28 dc3 samba[897]: [2016/09/23 13:05:28.800364,  0]
>> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
>> Sep 23 13:05:28 dc3
>> samba[897]:   ../source4/dsdb/dns/dns_update.c:290: Failed DNS update
>> - with error code 1
>>
>> The precise error codes vary (I have had 1, 6, 10, 110 recently) but
>> I do get some sort of message every 10 minutes, and the error code
>> usually stays the same on a particular DC. If it makes a difference,
>> DC1 and DC2 are in site A, and DC3 is at site B, there is full
>> connectivity between them all (or at least, there should be).
>>
>> I've tried tcpdump and wireshark to figure out what's going on, but I
>> can't seem to spot any form of DNS request coming in that would be an
>> update. The most I can see via tcpdump at any time I've looked are
>> some queries that return NXDOMAIN - e.g. there are frequent ones from
>> an VMWare ESXi server querying for
>> _kerberos-master.udp.MYDOMAIN.ORG.UK as per
>> https://communities.vmware.com/thread/491621 and getting NXDOMAIN -
>> but I wouldn't have thought that these queries would constitute a
>> "DNS update" that would fail?
>>
>> My debugging method so far has been to run tcpdump against port 53 -
>> but either I am somehow managing to not see the failing DNS packet
>> when I look at the results, or the DNS update arrives at the DC some
>> other way. Looking at the code in dns_update.c it looks like there
>> may be some form of regular DNS check, that is failing in my case?
>>
>> Does anybody know
>>    - if I can turn debugging on for just this DNS functionality? I
>> expect the log file here to be massive as a DC is also a DNS server..
>> but hopefully that will give me more of a clue as to what "update" is
>> failing?
>>    - if there is some other way I might be able to capture / check this
>> traffic?
>>    - what else I should maybe be looking for in my packet dumps or
>> elsewhere?
>>
>> Are the error codes regular UNIX values, in which case I believe
>> 1 = EPERM (Operation not permitted)
>> 6 = ENXIO (No such device or address)
>> 10 = ECHILD (No child processes)
>> 110 = ETIMEDOUT (Connection timed out)
>> This would explain what the errors mean; but I don't know why they are
>> occurring, and so regularly..
>>
>> Thank you for any pointers! :)
>>
>> Jonathan
>>
> Have you set up the reverse zone ?
> The logs appear to show an update happening followed by one failing,
> forward zone being allowed, reverse zone failing ??
>
> Rowland
>

I'm curious what log level you are using to receive theses responses? 
I'm also curious if the error codes are actually RCODES in a dns 
response. If so they would be

1: Format Error

5: Refused

10: Name not contained in zone

As Rowland pointed out, DNS updates are being honored followed by a fail.

-- 
-James