[Samba] Bogus dnsRecord attribute with Rank==0
Jonathon Reinhart
jonathon.reinhart at gmail.com
Fri Jan 22 14:40:24 UTC 2021
Hello,
I'm running an AD Domain using Samba 4.9.5 on Debian 10. I recently encountered
an issue where a DNS record started acting funny. I'll call the record
`sw1.example.com`.
We're not sure of the exact sequence, but it involved changing a CNAME and
ended like this:
- Admin 1 deleted the DNS record using Windows RSAT DNS Manager.
- Admin 2 recreated a DNS record (with that name), but it would not resolve. He
was surprised to see that Admin 1 was the owner on the new record (in DNS
Manager).
- Admin 2 deleted the record again.
I started investigating and confirmed that the record was not present in DNS
Manager.
When I queried the whole zone, I would see sw1 with 0 Records:
dc1:~$ samba-tool dns query dc1 example.com '@' ALL | grep sw1
Name=sw1, Records=0, Children=0
Oddly, when I query for `sw1`, it shows up with weird results:
dc1:~$ samba-tool dns query dc1 example.com 'sw1' ALL
Name=, Records=0, Children=0
Why is `Name=` empty?! And if there are no Records and no Children then it
shouldn't exist at all, right?
So then I dug into the DNS LDAP objects using ADSI Edit
(DC=DomainDnsZones,DC=example,DC=com). I was surprised to see an object:
DC=sw1,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
It had one dnsRecord [1] attribute with the following (modified/redacted) data:
2A 00 05 00 05 00 00 00 BD 00 00 00 00 00 0E 10 00 00 00 00 00 00 00 00 ...
Decoding this manually, I found:
dnsRecord:
DataLength: 42
Type: 5 (DNS_TYPE_CNAME)
Version: 5
Rank: 0 (No RANK_* flags set!)
Flags: 0
Serial: 189
TtlSeconds: 3600
Reserved: 0
TimeStamp: 0
Data: ...
Note that Rank is 0, which means none of the RANK_* flags are set!
In other funtional records, I see Rank=0xF0 (RANK_ZONE, which means "The record
comes from an authoritative zone.")
So this "stale" dnsRecord attribute with Rank=0:
- Somehow prevents the "good" dnsRecord from working
- Does not appear in any DNS "views" (a DNS query, samba-tool, or DNS Manager)
- Keeps the owning LDAP `dnsNode` object alive/around
- Which is why Admin 1 continually showed up as the owner, even though
Admin 2 thought he re-created the record
To fix this, I:
- Deleted the `sw1` A record in DNS Manager
- Renamed the `sw1` dnsNode object in ADSI Edit to `xxx-broken-sw1`
- Confirmed that `samba-tool dns query` gave the expected non-results.
- Created the record as usual.
So of course, the big question is: "How the hell did Rank get set to 0x00 on
this dnsRecord?"
I can't find anywhere in the samba source code that would ever set Rank=0.
But there is plenty of code (e.g. `dns_fill_records_array`) that explicitly
checks for DNS_RANK_ZONE.
I have to assume that the Windows "DNS Manager" RSAT tool did this (via LDAP),
but I have no idea why, nor can I recreate this.
I still have the xxx-broken-sw1 record for forensic purposes, although I'd
like to delete it soon.
Has anyone ever seen anything like this?
Best regards,
Jonathon Reinhart
[1]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/6912b338-5472-4f59-b912-0edb536b6ed8
More information about the samba
mailing list