[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 20 10:17:05 UTC 2019
Hai,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mgr.
> Peter Tuharsky via samba
> Verzonden: woensdag 20 februari 2019 10:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba + BIND9 DLZ. DNS dosen't resolve
> FQDN, only short hostname
>
> Well, the mystery is solved. It WAS Avahi, in a way...
This is said wrong. ...
> Eventhough it was disabled as a daemon,
> it still haunted the system by the means of nsswitch.conf
>
> In the 'hosts' line, the Debian default entry 'mdns4_minimal
> [NOTFOUND=return]' does exactly what we don't want - for
> .local domains
> it asks Avahi and if it dosen't know, it never asks the other
> services,
> such as dns etc.
And wrong is `the domain is .local`
Why o why is .local use. That is a reserved name for mDNS (avahi).. Yes.
So what happend here is TOTALY CORRECT. Here the problem is you are using .local
>
> I hope the documentation (Wiki) should be more vocal about that - that
> if the domain is .local, the 'dns' entry MUST precede 'mdns4_minimal'
> and 'mdns4' entries.
Possible yes, but if correctly setup, not needed.
And a bit ahead thinking people... Future systems, will mostly use systemd, if we like it or not.
Then if systemd is use correctly and you use the systemd-resolvd, you get this.
A random new server im setting up, not a samba server, but that not the point, the point is resolving,
And what you see in this output.
sudo resolvectl ( the defaults )
Global
LLMNR setting: yes
MulticastDNS setting: yes
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Fallback DNS Servers: 8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
So what you shouldn't be using for samba domains:
.corp
.home
.internal
.intranet
.lan
.local
.private
.test
More ahead, about LLMNR
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
See also..
Network Basic Input/Output System (NetBIOS)
Peer Name Resolution Protocol (Pt DNS (mDNS)
Zero-configuration networking (Zeroconf)
Now mix this and what do you get.
Samba + avahi and the use for LLMNR to replace netbios.
But is this what you want..
I dont think so.
Read : https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/
https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials
https://attack.mitre.org/techniques/T1171/
So why again is it so important to have a perfect dns setup.....
So you dont have to use LLMNR or netbios anymore.
But if you setup correct, avahi and dns can exist fine on a samba network.
But again, this is my personal opinion, not recommended.
Greetz,
Louis
More information about the samba
mailing list