[Samba] AD DC generating a lot of dns requests

Rowland penny rpenny at samba.org
Tue May 25 21:21:20 UTC 2021 

On 25/05/2021 21:58, hummbla wrote:
> Hello and thanks for the fast response!
> >          workgroup = example.net <http://example.net/>
> I replaced the domainnames by hand in that config (for sending it in 
> here), the workgroup is actually example (and not example.net 
> <http://example.net>), sorry about that one, i just overlooked it.
>
>
> > Your problems are being caused by not really understanding how AD dns
> > should work. All Samba AD DC's are authoritative for the AD dns domain,
> > this means that they take precedence over your pihole, your clients
> > should use the AD DC as their nameserver and forward anything outside
> > the AD domain to the pihole, or you could set your clients to use the
> > pihole as their nameserver, but the pihole would then have to forward
> > all the AD domain requests to the AD DC and not try to resolve them.
> > Either option will depend on the AD dns domain and the pihole dns domain
> > being different.
>
> All domain pcs are using the samba ad dc as their dns. The dns 
> forwarder for the ad dc is the pihole server.
> Am i  maybe misunderstanding the concept of the forwarding dns server?


No, that is how it should work, but your pihole should have a different 
dns domain than the AD dns domain, otherwise you could get loops.

> DNS seems to be very important to a functioning domain controller 
> (time also seems important for me).


DNS is the most important thing, closely followed by time (all clients 
have to within 5 minutes of the DC) which is required for kerberos.

> At first everything go to the ad dc server - to work its ad dc 
> specific *magic*.
> If the domain controller can't resolve the request it act as an 
> intermediate between the client and the forwarding dns server (in this 
> case: pihole)
>
> Also, are these amounts of requests to be expected from an ad dc? One 
> thousand requests an hour seems like a lot to me :)


This is not typical, I think you may be getting into loops. A client 
asks for an address from the DC and, even though it ends in 
'example.net', it isn't in AD, so, for some reason, it asks your pihole 
and it doesn't know who it is, so it asks the Authoritative DNS server 
(the DC) and around we go again. Of course it could just be an infected 
Windows client, so you need to find just where the requests are coming 
from and where they are trying to go to.

To be honest, I looked into using pihole with my domain and came to the 
conclusion that it wasn't a good idea, but this is just my conclusion.

Rowland

More information about the samba mailing list