[Samba] help again with dns and samba 4 ad

Rowland penny rpenny at samba.org
Wed Sep 2 15:44:28 UTC 2020

On 02/09/2020 16:35, Nick Howitt via samba wrote:
> On 02/09/2020 16:28, Rowland penny via samba wrote:
>> On 02/09/2020 16:15, jmpatagonia via samba wrote:
>>> That mean for example if my domain resolve
>>>                  xxxxx.testing.mydomain.com
>>> the dnsmasq should NOT resolv  xxxxxx.mydomain.com this is in 
>>> ascending way
>>> ?
>>> Another way to expose:
>>> We set dnsmasq+dhcp to set clients that the only DNS server is samba 
>>> DC on
>>> the domain name mysubdomain.mydomain.com
>>> DC for example resolv  server1.mysubdomain.mydomain.com right, now if a
>>> client as for a ddddd.mydomain.com DC response or ask to dnamasq fot 
>>> that
>>> or produce a horrible loop that you mentioned?
>>> Regards
>> OK, if your dnsmasq server is in the 'mydomain.com' dns domain, and 
>> your DC was in the 'ad.mydomain.com', this would be okay. This would 
>> your allow your domain clients (winpc.ad.mydomain.com, for instance) 
>> to ask the DC for the dns data for 'another-winpc.ad.mydomain.com' 
>> and the DC would reply with the data. However, if 'winpc' asked for 
>> the data for 'yetanother-winpc.mydomain.com', then the DC should 
>> realise 'I do not know this' and ask the dnsmasq server.
>> Rowland
> In your case the lookup for yetanother-winpc.mydomain.com shouldn't 
> even hit the DC as dnsmasq will handle it directly as all lookups go 
> via it. The problem comes if the DC ever needs dnsmasq to return any 
> lookups. This will risk a loop as in the other part of the thread.
Samba AD DCs are all authoritative for the DNS domain and as such, they 
should be the first port of call in any domain dns searches. It should 
be the DC that decides whether to forward unknown dns searches, not the 
other way around.


More information about the samba mailing list