[Samba] BIND9/DNS lookups stopped working after upgrading our Comcast modem/gateway

Rowland penny rpenny at samba.org
Sun Apr 12 20:45:40 UTC 2020

On 12/04/2020 21:06, Barry Ralphs via samba wrote:
> Thanks for the reply Rowland.
> Yes, I'm sure it was working before & now I've figure out what the 
> real issue was.
If you didn't have the forwarders in named.conf, then it wasn't.
> When we upgraded our Comcast service & came with their new 
> SecurityEdge service.
> A cloud based web filter that's supposed to block malware, phishing, 
> etc..
> https://business.comcast.com/learn/internet/security-edge
> However, it seems it's also blocking BIND from receiving the DNS 
> replies from the root servers.
Then they need to fix it, otherwise it is useless.
> To fix it I put BIND in forwarding mode to & (like 
> your recommendation) & commented out the root server lookups.
> #zone "." IN {
> #   type hint;
> #   file "named.ca";
> #};
> And everything started working again.
> Hopefully I can get Comcast to unblock the root servers or remove the 
> SecurityEdge service & then I can set BIND back to use the root 
> servers...
Your DC needs to ask another dns server (one outside the AD dns domain) 
for anything it doesn't know. If you look very carefully, you will find 
that the root servers are actually stored in AD, but they are never used.
> Here's some other posts from people having similar issues, which lead 
> me to this solution.
> https://forums.businesshelp.comcast.com/t5/Domain-Names-Static-IP/transparent-dns-proxying-started-after-a-modem-swap/m-p/39845 
> https://www.reddit.com/r/msp/comments/dikvta/comcast_securityedge/
> Do your config charges still apply in forwarding only mode, or are 
> there other changes I should make to the config?
The config I posted is based on my working Debian ones and these have 
worked correctly for nearly 8 years.
> My resolv.conf file is:
> # Generated by NetworkManager
> search tipping.lan
> nameserver
> Still change it to my DC IP?
Yes, most definitely
> I think if I change my /etc/sysconfig/network-scripts/ifcfg-eth0
> DNS1=
> to
> DNS1=
> It will update the resolv.conf
Yes, I think that will work, but as I only use red-hat distros when I am 
testing something, I am not 100% sure ;-)


More information about the samba mailing list