[Samba] BIND9/DNS lookups stopped working after upgrading our Comcast modem/gateway

Rowland penny rpenny at samba.org
Sun Apr 12 08:36:01 UTC 2020

On 12/04/2020 02:08, Barry Ralphs via samba wrote:
> OK here's our setup, we're running pfSense as our firewall/router. We 
> have a dual-WAN with a Comcast Business Gateway and another local ISP. 
> We're running Samba 4.7.6 as the AD DC & Bind 9.9.4. Here's the issue, 
> we just upgraded our Comcast service to a higher speed & they replaced 
> the modem/gateway. Everything was working fine, before the modem swap. 
> Once they did that we could no longer browse the internet from inside 
> the LAN over the Comcast pipe. If I disable our Comcast pipe in 
> pfSense we can get to the internet over our other ISP.
> I'm pretty sure the issue is with Bind, but can't figure out why.

Are you sure it worked before ?

This is my take on your named.conf:

     acl mynetworks {;;;;

     options {
         directory     "/var/named";
         notify no;
         empty-zones-enable no;
         allow-query     { localhost; mynetworks; };
         allow-recursion {; mynetworks; };
         forwarders {;; };
         allow-transfer { none; };
         dnssec-validation no;
         dnssec-enable no;
         dnssec-lookaside no;
         listen-on-v6 { none; };
         listen-on port 53 { localnets; };
         dump-file     "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         managed-keys-directory "/var/named/dynamic";
         pid-file "/run/named/named.pid";
         session-keyfile "/run/named/session.key";

         # samba BIND9_DLZ
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

     logging {
         channel default_debug {
             file "data/named.run";
             severity dynamic;
         channel my_log_file {
             file "/var/log/named/named.log" versions 3 size 3m;
             severity info;
             print-time yes;
             print-severity yes;
             print-category yes;
         channel my_syslog {
             syslog daemon;
             severity info;
             print-time no;
             print-severity no;
             print-category no;
         category default { my_log_file; my_syslog; };
         category dnssec  { my_log_file; };
         category lame-servers { null; };

     zone "." IN {
         type hint;
         file "named.ca";

     include "/var/lib/samba/private/named.conf";
     include "/etc/named.rfc1912.zones";

You will notice that I have removed, altered and added lines, the above 
is what I would expect on a Samba AD DC. If the first nameserver in 
/etc/resolv.conf is pointing to, then change it to the DC's 

You might also notice that I have added this:

forwarders {;; };

Your AD clients should use the DC as their nameserver. The DC is 
authoritative for the AD domain and should return all dns records for 
the AD domain. Anything outside the AD domain will be forwarded to the 
'forwarders' (Google in this case) who will return the internet info to 
the DC, which will then pass this to the client. You don't have this 
line, so the DC doesn't know where to ask for internet data, you might 
have a forwarder line in smb.conf, but this will be ignored when using 

So to recap, it should be:

   Client --> DC --> return AD domain data
                   |---> anything outside the AD domain --> ask forwarder


More information about the samba mailing list