[Samba] AD DC generating a lot of dns requests

[Rowland penny]

On 25/05/2021 21:13, hummbla via samba wrote:
> I have set up an ad dc server on debian (4.19.0-16-amd64 #1 SMP Debian
> 4.19.181-1 (2021-03-19) x86_64 GNU/Linux), joining the domain using windows
> 10 is possible and gpo's get pushed accordingly.
> As i utilize the Internal_DNS i had the opportunity to look at the dns
> requests which get forwarded to my pihole (192.168.178.159).
> As pihole gives a nice graphical representation of the requests it receives
> i noticed that per currently online domain pc, my requests go up my
> 1000/hour.
> The source of these requests is the domain controller trying to lookup any
> given client (A-Lookup).
>
> # What i tried already
> - I have tried to use a public dns server (such as google's 8.8.8.8), this
> did not solve the issue,      the requests still get made but google does
> (of course) not know what im asking it :P
> - Adding an A Record to the hosts file of the domain controller containing
> all pcs currently in the    domain did not make any effect
>
> # Environment
> Samba version: 2:4.9.5+dfsg-5+deb10u1
> Operating system:  4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19)
> x86_64 GNU/Linux
> Virtual machine settings (If these even matter): 1 CPU, 4 GB RAM, 32 GB
> Storage
> Maybe something obvious is wrong with my configuration, the following is my
> smb.conf (i have changed the names, of course :)):
> ```
> # Global parameters
> [global]
>          dns forwarder = 192.168.178.159


I take it that 192.168.178.159 is the ipaddress of the pihole

>          netbios name = dc001
>          realm = example.net
>          server role = active directory domain controller
>          workgroup = example.net


You cannot have a workgroup name with a dot in it, you seem to have used 
the dns domain for everything, I even bet your pihole uses the same dns 
domain. You should have used a subdomain of 'example.net' for the AD 
domain instead eg samba.example.net and then used the lefthand part of 
that 'samba' for the workgroup name.

>          tls enabled = yes


Did you add that 'tls' line ? If so, you need not have bothered, it is 
the default.

>
>
> Everytime i restart the server/the samba-ad-dc process the following lines
> get appended to the log.samba:
> ```
> [2021/05/25 21:49:46.758439,  0]
> ../source4/smbd/server.c:773(binary_smbd_main)
>    binary_smbd_main: samba: using 'standard' process model
> ```
> At the same time these two logs are added to the log.winbindd
> ```
> [2021/05/25 21:49:47.206929,  0]
> ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
>    initialize_winbindd_cache: clearing cache and re-creating with version
> number 2
> [2021/05/25 21:49:47.217379,  0]
> ../lib/util/become_daemon.c:138(daemon_ready)
>    daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
> serve connections


That happens for everyone running a Samba AD DC

> ```
> The syslog does not have any relevant information (nothing failing or
> complaining)
>
> These dns requests are slowly (as i add more pc's to the domain) going to
> ddos the pihole server (or atleast pollute its query logs), is this
> expected behavior? If so, can the request interval be reduced?

Your problems are being caused by not really understanding how AD dns 
should work. All Samba AD DC's are authoritative for the AD dns domain, 
this means that they take precedence over your pihole, your clients 
should use the AD DC as their nameserver and forward anything outside 
the AD domain to the pihole, or you could set your clients to use the 
pihole as their nameserver, but the pihole would then have to forward 
all the AD domain requests to the AD DC and not try to resolve them. 
Either option will depend on the AD dns domain and the pihole dns domain 
being different.

Rowland