[Samba] Samba DNS fails when queried with nslookup commands

L.P.H. van Belle belle at bazuin.nl
Thu Aug 13 08:29:32 UTC 2020 

Hi Rowland, 

Thats not the point here, if this is a AD-DC or not.. ;-) 
I'll explain. 

This is about, how DNS requests are done on the system and accepted by the "dns service" 
You can install unlimited DNS servers on the AD-DC and chain them, but wize..
No offcourse not. :-) Turning off systemd-resolved is probably a good idea, yes, it is. 
But it does not harm if its on as long as the DNS settings are done correctly. 

Below is a path to follow to find and know where to look to fix resolving problems. 
Keep these 2 (*3) in mind. 
A "client : dns request" think in CLI commands. 
A "client : dns service" think in a PC => IP:53 DNS requests.
(*also not included here, IPv6 .. And ipv6 prefers over IPv4 if both are set/used.)

First, 
His resolv.conf or the assigned DNS server in the network setting is simply wrong. 
*(there is/was a know bug related to DNS in : /etc/netplan/01-netcfg.yaml  For example.
*( which is adressed, in the manual i have online.
Biggest chance this is the problem. Non DNS is set in the netconf.yaml. 
If netplan is used (default on ubuntu) 
editor /etc/netplan/01-netcfg.yaml 
netplan --debug generate
And check again. 

Second, 
Even if systemd-resolved is running it only runs on and with setting :  127.0.0.51:53 
No other DNS server is running on that adress and port. 
If above (1) is correct, then this points to errors in /etc/resolv.conf 
Most probley the first DNS nameserver in resolv.conf is set to 127.0.0.51:53 
* do note, you might have a symlinked resolv.conf, which is fine but the setup must be correctly done. 
Think in : Which program is filling the symlinked resolv.conf? Then that where it needs fixing. 

Thirth, (most important) 
This is how a client and server its DNS request are done. 
Per example, ON the AD-DC, running on cli host/nslookup etc. is a "client" DNS request. 
This uses /etc/resolv.conf and the path is should follow.

If a pc contacts the DC-DNS it just connects to the server DNS at IP:53 
No resolv.conf is involved here, its just quering the DNS itself. A "client(pc)" 2 "DNS service (ip:port)" request. 
This points to (if systemd networking is used) its network config files. 
It also 'might' hit incorrect resolv.conf here. 

Can you use systemd-resolved on an AD-DC, yes, you can, wize, thats an other question.
Why "would" we use it. If you do lots of scripting and resolving from CLI, then it can be used.
But chaining the DNS resolving must be perfectly set. 

nslookup hostname  # if failes, ip dns servers to check and search/domain in resolv.conf
nslookup hostname.fqdn  # if failes, ip dns servers to check in resolv.conf 
	(or where these are set, like 01-netcfg.yaml or systemd-networkd folder/files )
nslookup hostname.fqdn @hostname.fqdn 
  # if fails, firewall if dns is external queried. Fix firewall.
  # if fails, dns is intern queried. (ad-dns) not running fix internal DNS, or wrong IP. 
Verify /etc/hosts and DNS A/PTR records. 
Verify if any DNS is running and on this ip/port. 

A) nslookup hostname.fqdn @ip-AD-DNS 
B) nslookup hostname.fqdn @ip-any-internet DNS (test 1.1.1.1 and 8.8.8.8) 
a) fails, DNS not running on AD-DC. 
b) fails, a firewall is blocking your requests. 

I hope this helps othere also in howto find/detect where the error is make. 
Offcourse there are more ways to test, above is a guidance.. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 13 augustus 2020 9:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba DNS fails when queried with 
> nslookup commands
> 
> On 13/08/2020 08:19, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > Only the forwarder is running in this systemd setup.
> > This :  127.0.0.53:53 does NOT conflict with normaly 
> resolv.conf setting
> > Because samba or any dns server does not run on 127.0.0.53
> > Dont make the mistake to see this for : 127.0.0.1
> Problem with that is (and it is what myself and Louis fall out over), 
> this is a DC and, in my opinion, there shouldn't be anything 
> between the 
> client and DC. Turning off systemd-resolved is probably a 
> good idea, but 
> Louis is correct, Samba apparently isn't listening on IPv4_address:53
> 
> Might be an idea to see the smb.conf and resolv.conf from the DC.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list