Hello List, I am facing a probelm whereby my Samba4 internal DNS does not resolve external addresses: # host www.google.com Host www.google.com not found: 3(NXDOMAIN) The answer is immediate - so there's no timeout issue here. Internal resolution as described in the wiki to test the Samba AD DNS functions like host -t SRV _kerberos._udp.samba.mydomain.com host -t SRV _ldap._tcp.samba.mydomain.com host -A storage.samba.mydomain.com work as expected and returns the right answers. The Samba DNS is expected to be authoritative for the samba.mydomain.com subdomain; the hostname of the DC is storage at 192.168.19.13. The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf: domain samba.mydomain.com nameserver 192.168.19.13 My smb.conf contains a line dns forwarder = 192.168.19.1 where 192.168.19.1 is the IP address of the pfsense router providing DNS services to mydomain.com through DNSmasq. If I add the dns forwarder as a *second* entry to /etc/resolv.conf external name resolution from the DC box works without any problems as it does from any other host in the network using 192.168.19.1 as its DNS server. This to me indicates that my DNS forwarder on pfsense per se does actually work as expected. # drill www.google.com @192.168.19.1 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;; www.google.com. IN A ;; ANSWER SECTION: www.google.com. 38 IN A 173.194.113.81 www.google.com. 38 IN A 173.194.113.82 www.google.com. 38 IN A 173.194.113.83 www.google.com. 38 IN A 173.194.113.84 www.google.com. 38 IN A 173.194.113.80 ;; AUTHORITY SECTION: google.com. 28834 IN NS ns3.google.com. google.com. 28834 IN NS ns2.google.com. google.com. 28834 IN NS ns4.google.com. google.com. 28834 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 342425 IN A 216.239.32.10 ns2.google.com. 342425 IN A 216.239.34.10 ns3.google.com. 2126 IN A 216.239.36.10 ns4.google.com. 2126 IN A 216.239.38.10 ;; Query time: 20 msec ;; SERVER: 192.168.19.1 ;; WHEN: Tue Sep 30 10:53:10 2014 ;; MSG SIZE rcvd: 248 That command was executed from the samba box and it works flawlessly and is also very quick further ruling out a timeout issue (NOTE: drill is the FreeBSD equivalent of dig). Some additional information about my installation: OS: FreeBSD 10.0 Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC Router with DNS forwarder: pfsense 2.1.5 all of this running under XEN 4.3.2 with gentoo hardened-sources and linux kernel 3.15.10 for Dom0. A debug trace with a higher log level for dns in smb.conf shows that the internal DNS server acknowledges that it is not authoritative for www.google.com (and therefore obviously also confirms the receipt of the query): Not authoritative for 'www.google.com', forwarding But a tcpdump on the network interface does not show any attempt from the Samba AD DC to contact the forwarder for www.google.com. There is, however, traffic when 192.168.19.1 is added to resolv.conf and DNS resolution works for external addresses - so tcpdump seems to work as well. Searching the web and asking for help in the IRC channel did not help and currently I am at loss on what's going. I would very much appreciate any help in trying to get to the grounds of this issue. Many thanks in advance Atom2
Thomas Mulkey
2014-Sep-30 11:55 UTC
[Samba] Samba4 internal DNS - can't resolve extrenal hosts
I am a bit of a Samba Newb, but I noticed a couple of things that are different from my test environment which has 2 Samba 4 AD DC's. My resolv.conf has search incenta.local nameserver 10.0.2.150 10.0.2.150 is my first DC that has the samba internal dns. Incenta.local is my domain name Second You may want to try setting your forwarded to 8.8.8.8 in the smb.conf (dns forwarder 8.8.8.8, this would rule out any problems with your local dns resolution on pfsense. I would just verify for sure that the problem is with the samba re-direction -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Atom2 Sent: Tuesday, September 30, 2014 4:57 AM To: samba at lists.samba.org Subject: [Samba] Samba4 internal DNS - can't resolve extrenal hosts Hello List, I am facing a probelm whereby my Samba4 internal DNS does not resolve external addresses: # host www.google.com Host www.google.com not found: 3(NXDOMAIN) The answer is immediate - so there's no timeout issue here. Internal resolution as described in the wiki to test the Samba AD DNS functions like host -t SRV _kerberos._udp.samba.mydomain.com host -t SRV _ldap._tcp.samba.mydomain.com host -A storage.samba.mydomain.com work as expected and returns the right answers. The Samba DNS is expected to be authoritative for the samba.mydomain.com subdomain; the hostname of the DC is storage at 192.168.19.13. The SAMBA DNS is the only nameserver entry in my /etc/resolv.conf: domain samba.mydomain.com nameserver 192.168.19.13 My smb.conf contains a line dns forwarder = 192.168.19.1 where 192.168.19.1 is the IP address of the pfsense router providing DNS services to mydomain.com through DNSmasq. If I add the dns forwarder as a *second* entry to /etc/resolv.conf external name resolution from the DC box works without any problems as it does from any other host in the network using 192.168.19.1 as its DNS server. This to me indicates that my DNS forwarder on pfsense per se does actually work as expected. # drill www.google.com @192.168.19.1 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8606 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;; www.google.com. IN A ;; ANSWER SECTION: www.google.com. 38 IN A 173.194.113.81 www.google.com. 38 IN A 173.194.113.82 www.google.com. 38 IN A 173.194.113.83 www.google.com. 38 IN A 173.194.113.84 www.google.com. 38 IN A 173.194.113.80 ;; AUTHORITY SECTION: google.com. 28834 IN NS ns3.google.com. google.com. 28834 IN NS ns2.google.com. google.com. 28834 IN NS ns4.google.com. google.com. 28834 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 342425 IN A 216.239.32.10 ns2.google.com. 342425 IN A 216.239.34.10 ns3.google.com. 2126 IN A 216.239.36.10 ns4.google.com. 2126 IN A 216.239.38.10 ;; Query time: 20 msec ;; SERVER: 192.168.19.1 ;; WHEN: Tue Sep 30 10:53:10 2014 ;; MSG SIZE rcvd: 248 That command was executed from the samba box and it works flawlessly and is also very quick further ruling out a timeout issue (NOTE: drill is the FreeBSD equivalent of dig). Some additional information about my installation: OS: FreeBSD 10.0 Samba version: 4.1.11, server role: ROLE_ACTIVE_DIRECTORY_DC Router with DNS forwarder: pfsense 2.1.5 all of this running under XEN 4.3.2 with gentoo hardened-sources and linux kernel 3.15.10 for Dom0. A debug trace with a higher log level for dns in smb.conf shows that the internal DNS server acknowledges that it is not authoritative for www.google.com (and therefore obviously also confirms the receipt of the query): Not authoritative for 'www.google.com', forwarding But a tcpdump on the network interface does not show any attempt from the Samba AD DC to contact the forwarder for www.google.com. There is, however, traffic when 192.168.19.1 is added to resolv.conf and DNS resolution works for external addresses - so tcpdump seems to work as well. Searching the web and asking for help in the IRC channel did not help and currently I am at loss on what's going. I would very much appreciate any help in trying to get to the grounds of this issue. Many thanks in advance Atom2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba