[Samba] BIND9/DNS lookups stopped working after upgrading our Comcast modem/gateway

Barry Ralphs b.ralphs at tippingstructural.com
Sun Apr 12 01:08:26 UTC 2020 

OK here's our setup, we're running pfSense as our firewall/router. We 
have a dual-WAN with a Comcast Business Gateway and another local ISP. 
We're running Samba 4.7.6 as the AD DC & Bind 9.9.4. Here's the issue, 
we just upgraded our Comcast service to a higher speed & they replaced 
the modem/gateway. Everything was working fine, before the modem swap. 
Once they did that we could no longer browse the internet from inside 
the LAN over the Comcast pipe. If I disable our Comcast pipe in pfSense 
we can get to the internet over our other ISP.
I'm pretty sure the issue is with Bind, but can't figure out why. Here 
is some output when I run nslookup & dig on the DC box. Both nslookup & 
dig work if I specify an external DNS server, but not when I let it use 
localhost/Bind.

     [root at dc etc]# nslookup comcast.com
     Server:         127.0.0.1
     Address:        127.0.0.1#53

     ** server can't find comcast.com: NXDOMAIN


     [root at dc etc]# nslookup comcast.com 8.8.8.8
     Server:         8.8.8.8
     Address:        8.8.8.8#53

     Non-authoritative answer:
     Name:   comcast.com
     Address: 69.252.80.75


     [root at dc etc]# dig comcast.com
     ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> comcast.com
     ;; global options: +cmd
     ;; Got answer:
     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3360
     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

     ;; OPT PSEUDOSECTION:
     ; EDNS: version: 0, flags:; udp: 4096
     ;; QUESTION SECTION:
     ;comcast.com.                   IN      A

     ;; Query time: 1 msec
     ;; SERVER: 127.0.0.1#53(127.0.0.1)
     ;; WHEN: Sat Apr 11 17:08:25 PDT 2020
     ;; MSG SIZE  rcvd: 40


     [root at dc etc]# dig @8.8.8.8 comcast.com
     ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> @8.8.8.8 comcast.com
     ; (1 server found)
     ;; global options: +cmd
     ;; Got answer:
     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26449
     ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

     ;; OPT PSEUDOSECTION:
     ; EDNS: version: 0, flags:; udp: 4096
     ;; QUESTION SECTION:
     ;comcast.com.                   IN      A

     ;; ANSWER SECTION:
     comcast.com.            32      IN      A       69.252.80.75

     ;; Query time: 4 msec
     ;; SERVER: 8.8.8.8#53(8.8.8.8)
     ;; WHEN: Sat Apr 11 17:08:43 PDT 2020
     ;; MSG SIZE  rcvd: 56

Also, if I disable our Comcast pipe in pfSense and do `nslookup 
comcast.com` or `dig comcast.com` over the other ISP, they return 
perfectly fine when using localhost/Bind.

Here is my named.conf file

     acl mynetworks {
         192.168.254.0/24;
         192.168.252.0/24;
         192.168.251.0/24;
         192.168.250.0/24;
      };

     options {
         listen-on port 53 { localnets; };
         listen-on-v6 { none; };
         directory     "/var/named";
         dump-file     "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { localhost; mynetworks; };

         recursion yes;
         dnssec-enable yes;
         dnssec-validation auto;
         dnssec-lookaside auto;

         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

         managed-keys-directory "/var/named/dynamic";

         pid-file "/run/named/named.pid";
         session-keyfile "/run/named/session.key";

         # samba BIND9_DLZ
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
     };

     logging {
         channel default_debug {
             file "data/named.run";
             severity dynamic;
         };
         channel my_log_file {
             file "/var/log/named/named.log" versions 3 size 3m;
             severity info;
             print-time yes;
             print-severity yes;
             print-category yes;
         };
         channel my_syslog {
             syslog daemon;
             severity info;
             print-time no;
             print-severity no;
             print-category no;
         };
         category default { my_log_file; my_syslog; };
         category dnssec  { my_log_file; };
         category lame-servers { null; };
     };


     // so we can control the running named process with the rndc utility
     include "/etc/rndc.key";

     zone "." IN {
         type hint;
         file "named.ca";
     };

     dlz  "tipping.lan" {
          database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
     };

     include "/etc/named.rfc1912.zones";
     include "/etc/named.root.key";

If I connect a laptop directly to the Comcast modem, I can get to the 
internet just fine. Also, if I bypass the DC on a LAN workstation to use 
an external DNS server, I can access the internet over the Comcast pipe.

So why is DNS/Bind working on one pipe, but not the other? Any help 
would be greatly appreciated.

More information about the samba mailing list