[Samba] BIND9/DNS lookups stopped working after upgrading our Comcast modem/gateway
Barry Ralphs
b.ralphs at tippingstructural.com
Sun Apr 12 20:06:55 UTC 2020
> Are you sure it worked before ?
>
> This is my take on your named.conf:
>
> acl mynetworks {
> 192.168.254.0/24;
> 192.168.252.0/24;
> 192.168.251.0/24;
> 192.168.250.0/24;
> };
>
> options {
> directory "/var/named";
> notify no;
> empty-zones-enable no;
> allow-query { localhost; mynetworks; };
> allow-recursion { 127.0.0.1/32; mynetworks; };
> forwarders { 8.8.8.8; 8.8.4.4; };
> allow-transfer { none; };
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { localnets; };
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> managed-keys-directory "/var/named/dynamic";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
>
> # samba BIND9_DLZ
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> channel my_log_file {
> file "/var/log/named/named.log" versions 3 size 3m;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel my_syslog {
> syslog daemon;
> severity info;
> print-time no;
> print-severity no;
> print-category no;
> };
> category default { my_log_file; my_syslog; };
> category dnssec { my_log_file; };
> category lame-servers { null; };
> };
>
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/var/lib/samba/private/named.conf";
> include "/etc/named.rfc1912.zones";
>
> You will notice that I have removed, altered and added lines, the
> above is what I would expect on a Samba AD DC. If the first nameserver
> in /etc/resolv.conf is pointing to 127.0.0.1, then change it to the
> DC's ipaddress.
>
> You might also notice that I have added this:
>
> forwarders { 8.8.8.8; 8.8.4.4; };
>
> Your AD clients should use the DC as their nameserver. The DC is
> authoritative for the AD domain and should return all dns records for
> the AD domain. Anything outside the AD domain will be forwarded to the
> 'forwarders' (Google in this case) who will return the internet info
> to the DC, which will then pass this to the client. You don't have
> this line, so the DC doesn't know where to ask for internet data, you
> might have a forwarder line in smb.conf, but this will be ignored when
> using bind9.
>
> So to recap, it should be:
>
> Client --> DC --> return AD domain data
> |---> anything outside the AD domain --> ask forwarder
>
> Rowland
>
Thanks for the reply Rowland.
Yes, I'm sure it was working before & now I've figure out what the real
issue was.
When we upgraded our Comcast service & came with their new SecurityEdge
service.
A cloud based web filter that's supposed to block malware, phishing, etc..
https://business.comcast.com/learn/internet/security-edge
However, it seems it's also blocking BIND from receiving the DNS replies
from the root servers.
To fix it I put BIND in forwarding mode to 1.1.1.1.1 & 8.8.8.8 (like
your recommendation) & commented out the root server lookups.
#zone "." IN {
# type hint;
# file "named.ca";
#};
And everything started working again.
Hopefully I can get Comcast to unblock the root servers or remove the
SecurityEdge service & then I can set BIND back to use the root servers...
Here's some other posts from people having similar issues, which lead me
to this solution.
https://forums.businesshelp.comcast.com/t5/Domain-Names-Static-IP/transparent-dns-proxying-started-after-a-modem-swap/m-p/39845
https://www.reddit.com/r/msp/comments/dikvta/comcast_securityedge/
Do your config charges still apply in forwarding only mode, or are there
other changes I should make to the config?
My resolv.conf file is:
# Generated by NetworkManager
search tipping.lan
nameserver 127.0.0.1
Still change it to my DC IP?
I think if I change my /etc/sysconfig/network-scripts/ifcfg-eth0
IPADDR=192.168.254.37
DNS1=127.0.0.1
to
IPADDR=192.168.254.37
DNS1=192.168.254.37
It will update the resolv.conf
Thanks,
Barry
More information about the samba
mailing list