[Samba] DNS not resolving particular host from queries from particular subnet
Rowland Penny
rpenny at samba.org
Fri Jun 1 12:04:04 UTC 2018
On Fri, 1 Jun 2018 12:12:43 +0100
Zdravko Zdravkov <nirayah at gmail.com> wrote:
> True that! Sorry
>
> smb.conf
>
>
> > [global]
> > netbios name = AD
> > realm = XXXX.CO.UK
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = XXXX
> > idmap config XXXX:unix_nss_info = yes
You should remove the line above, it should not be in a DC smb.conf
> > idmap_ldb:use rfc2307 = yes
> > log file = /var/log/samba/samba.log
> > log level = 3
>
>
>
> named.conf
>
> include "/usr/local/samba/private/named.conf";
> > options {
> > listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> > // listen-on-v6 port 53 { ::1; };
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > allow-query { any; };
> > /*
> > - If you are building an AUTHORITATIVE DNS server, do NOT
> > enable recursion.
> > - If you are building a RECURSIVE (caching) DNS server,
> > you need to enable
> > recursion.
> > - If your recursive DNS server has a public IP address,
> > you MUST enable access
> > control to limit queries to your legitimate users.
> > Failing to do so will
> > cause your server to become part of large scale DNS
> > amplification
> > attacks. Implementing BCP38 within your network would
> > greatly reduce such attack surface
> > */
> > allow-recursion {
> > 127.0.0.1;
> > 192.168.26.0/24;
> > 192.168.27.0/24;
> > };
> >
> >
> > //recursion yes;
> > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > dnssec-enable yes;
> > dnssec-validation yes;
> > /* Path to ISC DLV key */
> > bindkeys-file "/etc/named.iscdlv.key";
> > managed-keys-directory "/var/named/dynamic";
> > pid-file "/run/named/named.pid";
> > session-keyfile "/run/named/session.key";
> > };
> > logging {
> > channel default_debug {
> > file "data/named.run";
> > severity dynamic;
> > };
> > };
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> > //include "/etc/named.rfc1912.zones";
> > //include "/etc/named.root.key";
>
>
There are several things wrong with that named.conf, the biggest being
that you haven't set any forwarders. The DNS server running on a Samba
AD DC must be authoritative for its DNS domain, anything outside this
domain should be forwarded to another DNS server outside the domain.
Can I suggest you try this named.conf:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation no;
auth-nxdomain yes; # conform to RFC1035 =no
listen-on-v6 { none; };
listen-on port 53 { 127.0.0.1; 192.168.26.2; };
notify no;
empty-zones-enable no;
allow-query { any; };
allow-recursion {
127.0.0.1/32;
192.168.26.0/24;
192.168.27.0/24;
};
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
It is based on your info and my known working set up, though you may
want to change the forwarders.
Rowland
More information about the samba
mailing list