[Samba] Prevent Samba's internal DNS server from asking upstream DNS server about non-existent AD domain names

sebastian486 at buerotiger.de sebastian486 at buerotiger.de
Wed Feb 17 04:34:57 UTC 2021


I'd like to make Samba's internal DNS server authoritative for my AD domain, e.g. "ad.sebastian.intranet".
It shall not query the configured upstream forward DNS server for names below its AD domain.
If Samba's internal DNS server doesn't know a subdomain of the AD domain name, it simply does not exist.

Is that possible?
I haven't found an smb.conf configuration option for that.
Maybe remotely through the Windows DNS management console plugin?

My setup looks like this:

I have a central firewall router that routes (and filters packets) between the internet and my LAN.
I run dnsmasq on this machine.
I've configured dnsmasq to forward queries about *.ad.sebastian.intranet to my Samba4 AD domain controller.

On the other hand, the Samba4 domain controller uses this firewall router as the upstream DNS server for external domain names, e.g. samba.org.

Only the domain member machines use the Samba domain controller as their DNS server.

Can I avoid a query loop if I ask the firewall DNS server for a non-existant AD subdomain?

sebastian at xy.sebastian.intranet:~$ nslookup doesnotexist.ad.sebastian.intranet
-> asks firewall.sebastian.intranet
-> which asks sambadc1.ad.sebastian.intranet
-> Samba's DNS server doesn't know subdomain "doesnotexist"
-> asks upstream forward DNS server firewall.sebastian.intranet

I'm running the current Debian 10 / buster packages of samba on amd64:
https://packages.debian.org/buster/samba   (2:4.9.5+dfsg-5+deb10u1)

Thank you for your hints!

Best wishes,

More information about the samba mailing list