[Samba] BIND9/DNS lookups stopped working after upgrading our Comcast modem/gateway
Barry Ralphs
b.ralphs at tippingstructural.com
Sun Apr 12 01:08:26 UTC 2020
OK here's our setup, we're running pfSense as our firewall/router. We
have a dual-WAN with a Comcast Business Gateway and another local ISP.
We're running Samba 4.7.6 as the AD DC & Bind 9.9.4. Here's the issue,
we just upgraded our Comcast service to a higher speed & they replaced
the modem/gateway. Everything was working fine, before the modem swap.
Once they did that we could no longer browse the internet from inside
the LAN over the Comcast pipe. If I disable our Comcast pipe in pfSense
we can get to the internet over our other ISP.
I'm pretty sure the issue is with Bind, but can't figure out why. Here
is some output when I run nslookup & dig on the DC box. Both nslookup &
dig work if I specify an external DNS server, but not when I let it use
localhost/Bind.
[root at dc etc]# nslookup comcast.com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find comcast.com: NXDOMAIN
[root at dc etc]# nslookup comcast.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: comcast.com
Address: 69.252.80.75
[root at dc etc]# dig comcast.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> comcast.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3360
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;comcast.com. IN A
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 11 17:08:25 PDT 2020
;; MSG SIZE rcvd: 40
[root at dc etc]# dig @8.8.8.8 comcast.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> @8.8.8.8 comcast.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26449
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;comcast.com. IN A
;; ANSWER SECTION:
comcast.com. 32 IN A 69.252.80.75
;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 11 17:08:43 PDT 2020
;; MSG SIZE rcvd: 56
Also, if I disable our Comcast pipe in pfSense and do `nslookup
comcast.com` or `dig comcast.com` over the other ISP, they return
perfectly fine when using localhost/Bind.
Here is my named.conf file
acl mynetworks {
192.168.254.0/24;
192.168.252.0/24;
192.168.251.0/24;
192.168.250.0/24;
};
options {
listen-on port 53 { localnets; };
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; mynetworks; };
recursion yes;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
# samba BIND9_DLZ
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel my_log_file {
file "/var/log/named/named.log" versions 3 size 3m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel my_syslog {
syslog daemon;
severity info;
print-time no;
print-severity no;
print-category no;
};
category default { my_log_file; my_syslog; };
category dnssec { my_log_file; };
category lame-servers { null; };
};
// so we can control the running named process with the rndc utility
include "/etc/rndc.key";
zone "." IN {
type hint;
file "named.ca";
};
dlz "tipping.lan" {
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
If I connect a laptop directly to the Comcast modem, I can get to the
internet just fine. Also, if I bypass the DC on a LAN workstation to use
an external DNS server, I can access the internet over the Comcast pipe.
So why is DNS/Bind working on one pipe, but not the other? Any help
would be greatly appreciated.
More information about the samba
mailing list