[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname

Wed Feb 20 10:17:05 UTC 2019

Hai, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mgr. 
> Peter Tuharsky via samba
> Verzonden: woensdag 20 februari 2019 10:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba + BIND9 DLZ. DNS dosen't resolve 
> FQDN, only short hostname
> 
> Well, the mystery is solved. It WAS Avahi, in a way... 
This is said wrong. ... 

> Eventhough it was disabled as a daemon, 
> it still haunted the system by the means of nsswitch.conf
> 
> In the 'hosts' line, the Debian default entry 'mdns4_minimal
> [NOTFOUND=return]' does exactly what we don't want - for 
> .local domains
> it asks Avahi and if it dosen't know, it never asks the other 
> services,
> such as dns etc.

And wrong is `the domain is .local` 
Why o why is .local use. That is a reserved name for mDNS (avahi).. Yes. 
So what happend here is TOTALY CORRECT. Here the problem is you are using  .local 

> 
> I hope the documentation (Wiki) should be more vocal about that - that
> if the domain is .local, the 'dns' entry MUST precede 'mdns4_minimal'
> and 'mdns4' entries.

Possible yes, but if correctly setup, not needed. 
And a bit ahead thinking people... Future systems, will mostly use systemd, if we like it or not. 

Then if systemd is use correctly and you use the systemd-resolvd, you get this.
A random new server im setting up, not a samba server, but that not the point, the point is resolving, 
And what you see in this output. 

sudo resolvectl  ( the defaults ) 
Global
       LLMNR setting: yes
MulticastDNS setting: yes
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
Fallback DNS Servers: 8.8.8.8
                      8.8.4.4
                      2001:4860:4860::8888
                      2001:4860:4860::8844
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

So what you shouldn't be using for samba domains:  
	                .corp
                      .home
                      .internal
                      .intranet
                      .lan
                      .local
                      .private
                      .test

More ahead,  about LLMNR
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution 
See also.. 
Network Basic Input/Output System (NetBIOS)
Peer Name Resolution Protocol (Pt DNS (mDNS)
Zero-configuration networking (Zeroconf)
Now mix this and what do you get. 
Samba + avahi and the use for LLMNR to replace netbios. 
But is this what you want.. 

I dont think so. 
Read : https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ 
https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials 
https://attack.mitre.org/techniques/T1171/ 

So why again is it so important to have a perfect dns setup..... 
So you dont have to use LLMNR or netbios anymore. 

But if you setup correct, avahi and dns can exist fine on a samba network. 
But again, this is my personal opinion, not recommended. 

Greetz, 

Louis