[Samba] DNS not resolving particular host from queries from particular subnet
Zdravko Zdravkov
nirayah at gmail.com
Fri Jun 1 12:21:44 UTC 2018
Hi Rowland.
Trying the suggested named.conf broke the local resolve of the storage as
well (for clients in 192.168.26.0), so I reverted back to my old one since
I have computers here using the storage at the moment.
Would you have any other suggestions?
On Fri, Jun 1, 2018 at 1:04 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 1 Jun 2018 12:12:43 +0100
> Zdravko Zdravkov <nirayah at gmail.com> wrote:
>
> > True that! Sorry
> >
> > smb.conf
> >
> >
> > > [global]
> > > netbios name = AD
> > > realm = XXXX.CO.UK
> > > server role = active directory domain controller
> > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > > workgroup = XXXX
> > > idmap config XXXX:unix_nss_info = yes
>
> You should remove the line above, it should not be in a DC smb.conf
>
> > > idmap_ldb:use rfc2307 = yes
> > > log file = /var/log/samba/samba.log
> > > log level = 3
> >
> >
> >
> > named.conf
> >
> > include "/usr/local/samba/private/named.conf";
> > > options {
> > > listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> > > // listen-on-v6 port 53 { ::1; };
> > > directory "/var/named";
> > > dump-file "/var/named/data/cache_dump.db";
> > > statistics-file "/var/named/data/named_stats.txt";
> > > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > > allow-query { any; };
> > > /*
> > > - If you are building an AUTHORITATIVE DNS server, do NOT
> > > enable recursion.
> > > - If you are building a RECURSIVE (caching) DNS server,
> > > you need to enable
> > > recursion.
> > > - If your recursive DNS server has a public IP address,
> > > you MUST enable access
> > > control to limit queries to your legitimate users.
> > > Failing to do so will
> > > cause your server to become part of large scale DNS
> > > amplification
> > > attacks. Implementing BCP38 within your network would
> > > greatly reduce such attack surface
> > > */
> > > allow-recursion {
> > > 127.0.0.1;
> > > 192.168.26.0/24;
> > > 192.168.27.0/24;
> > > };
> > >
> > >
> > > //recursion yes;
> > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > > dnssec-enable yes;
> > > dnssec-validation yes;
> > > /* Path to ISC DLV key */
> > > bindkeys-file "/etc/named.iscdlv.key";
> > > managed-keys-directory "/var/named/dynamic";
> > > pid-file "/run/named/named.pid";
> > > session-keyfile "/run/named/session.key";
> > > };
> > > logging {
> > > channel default_debug {
> > > file "data/named.run";
> > > severity dynamic;
> > > };
> > > };
> > > zone "." IN {
> > > type hint;
> > > file "named.ca";
> > > };
> > > //include "/etc/named.rfc1912.zones";
> > > //include "/etc/named.root.key";
> >
> >
>
> There are several things wrong with that named.conf, the biggest being
> that you haven't set any forwarders. The DNS server running on a Samba
> AD DC must be authoritative for its DNS domain, anything outside this
> domain should be forwarded to another DNS server outside the domain.
> Can I suggest you try this named.conf:
>
> options {
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> forwarders { 8.8.8.8; 8.8.4.4; };
>
> dnssec-validation no;
> auth-nxdomain yes; # conform to RFC1035 =no
> listen-on-v6 { none; };
> listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> notify no;
> empty-zones-enable no;
> allow-query { any; };
> allow-recursion {
> 127.0.0.1/32;
> 192.168.26.0/24;
> 192.168.27.0/24;
> };
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
> };
>
> include "/usr/local/samba/private/named.conf";
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> It is based on your info and my known working set up, though you may
> want to change the forwarders.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list