samba - Jun 2018 - DNS not resolving particular host from queries from particular subnet

True that! Sorry

smb.conf

>         [global]
>         netbios name = AD
>         realm = XXXX.CO.UK
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = XXXX
>         idmap config XXXX:unix_nss_info = yes
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/samba.log
>         log level = 3


named.conf

include "/usr/local/samba/private/named.conf";
> options {
>         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> //      listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         allow-query     { any; };
>         /*
>          - If you are building an AUTHORITATIVE DNS server, do NOT enable
> recursion.
>          - If you are building a RECURSIVE (caching) DNS server, you need
> to enable
>            recursion.
>          - If your recursive DNS server has a public IP address, you MUST
> enable access
>            control to limit queries to your legitimate users. Failing to
> do so will
>            cause your server to become part of large scale DNS
> amplification
>            attacks. Implementing BCP38 within your network would greatly
>            reduce such attack surface
>         */
>         allow-recursion {
>         127.0.0.1;
>         192.168.26.0/24;
>         192.168.27.0/24;
>         };
>
>
>         //recursion yes;
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>         dnssec-enable yes;
>         dnssec-validation yes;
>         /* Path to ISC DLV key */
>         bindkeys-file "/etc/named.iscdlv.key";
>         managed-keys-directory "/var/named/dynamic";
>         pid-file "/run/named/named.pid";
>         session-keyfile "/run/named/session.key";
> };
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
> //include "/etc/named.rfc1912.zones";
> //include "/etc/named.root.key";


On Fri, Jun 1, 2018 at 11:48 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 1 Jun 2018 11:39:33 +0100
> Zdravko Zdravkov via samba <samba at lists.samba.org> wrote:
>
> > Hi all.
> >
> > Our setup is samba+dlz AD DC. Since last week the DNS doesn't
resolve
> > the delegated record for our storage *storage.domain.ltd*
> > (192.168.26.xx) when being queried from clients in 192.168.29.0 which
> > is our openvpn designated network. The OpenVPN is configured to push
> > the DNS of our network, and also successfully resolves other hosts in
> > the 192.168.26.0 subnet. I have no memory of changing anything. Last
> > friday just some of our remote clients reported that the access to
> > the storage has been lost.
> >
> > Any ideas will be appreciated!
>
> Might be a good idea to post your smb.conf and bind9 conf files.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 1 Jun 2018 12:12:43 +0100
Zdravko Zdravkov <nirayah at gmail.com> wrote:
> True that! Sorry
> 
> smb.conf
> 
> 
> >         [global]
> >         netbios name = AD
> >         realm = XXXX.CO.UK
> >         server role = active directory domain controller
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = XXXX
> >         idmap config XXXX:unix_nss_info = yes
You should remove the line above, it should not be in a DC smb.conf
> >         idmap_ldb:use rfc2307 = yes
> >         log file = /var/log/samba/samba.log
> >         log level = 3
> 
> 
> 
> named.conf
> 
> include "/usr/local/samba/private/named.conf";
> > options {
> >         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> > //      listen-on-v6 port 53 { ::1; };
> >         directory       "/var/named";
> >         dump-file       "/var/named/data/cache_dump.db";
> >         statistics-file "/var/named/data/named_stats.txt";
> >         memstatistics-file
"/var/named/data/named_mem_stats.txt";
> >         allow-query     { any; };
> >         /*
> >          - If you are building an AUTHORITATIVE DNS server, do NOT
> > enable recursion.
> >          - If you are building a RECURSIVE (caching) DNS server,
> > you need to enable
> >            recursion.
> >          - If your recursive DNS server has a public IP address,
> > you MUST enable access
> >            control to limit queries to your legitimate users.
> > Failing to do so will
> >            cause your server to become part of large scale DNS
> > amplification
> >            attacks. Implementing BCP38 within your network would
> > greatly reduce such attack surface
> >         */
> >         allow-recursion {
> >         127.0.0.1;
> >         192.168.26.0/24;
> >         192.168.27.0/24;
> >         };
> >
> >
> >         //recursion yes;
> >         tkey-gssapi-keytab
"/usr/local/samba/private/dns.keytab";
> >         dnssec-enable yes;
> >         dnssec-validation yes;
> >         /* Path to ISC DLV key */
> >         bindkeys-file "/etc/named.iscdlv.key";
> >         managed-keys-directory "/var/named/dynamic";
> >         pid-file "/run/named/named.pid";
> >         session-keyfile "/run/named/session.key";
> > };
> > logging {
> >         channel default_debug {
> >                 file "data/named.run";
> >                 severity dynamic;
> >         };
> > };
> > zone "." IN {
> >         type hint;
> >         file "named.ca";
> > };
> > //include "/etc/named.rfc1912.zones";
> > //include "/etc/named.root.key";
> 
> 
There are several things wrong with that named.conf, the biggest being
that you haven't set any forwarders. The DNS server running on a Samba
AD DC must be authoritative for its DNS domain, anything outside this
domain should be forwarded to another DNS server outside the domain.
Can I suggest you try this named.conf:

 options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        forwarders { 8.8.8.8; 8.8.4.4; };

        dnssec-validation no;
        auth-nxdomain yes;    # conform to RFC1035 =no
        listen-on-v6 { none; };
        listen-on port 53 { 127.0.0.1; 192.168.26.2; };
        notify no;
        empty-zones-enable no;
        allow-query { any; };
        allow-recursion {
        127.0.0.1/32;
        192.168.26.0/24;
        192.168.27.0/24;
        };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

};

include "/usr/local/samba/private/named.conf";

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};

It is based on your info and my known working set up, though you may
want to change the forwarders.

Rowland

Hi Rowland.

Trying the suggested named.conf broke the local resolve of the storage as
well (for clients in 192.168.26.0), so I reverted back to my old one since
I have computers here using the storage at the moment.
Would you have any other suggestions?

On Fri, Jun 1, 2018 at 1:04 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 1 Jun 2018 12:12:43 +0100
> Zdravko Zdravkov <nirayah at gmail.com> wrote:
>
> > True that! Sorry
> >
> > smb.conf
> >
> >
> > >         [global]
> > >         netbios name = AD
> > >         realm = XXXX.CO.UK
> > >         server role = active directory domain controller
> > >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >         workgroup = XXXX
> > >         idmap config XXXX:unix_nss_info = yes
>
> You should remove the line above, it should not be in a DC smb.conf
>
> > >         idmap_ldb:use rfc2307 = yes
> > >         log file = /var/log/samba/samba.log
> > >         log level = 3
> >
> >
> >
> > named.conf
> >
> > include "/usr/local/samba/private/named.conf";
> > > options {
> > >         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> > > //      listen-on-v6 port 53 { ::1; };
> > >         directory       "/var/named";
> > >         dump-file      
"/var/named/data/cache_dump.db";
> > >         statistics-file
"/var/named/data/named_stats.txt";
> > >         memstatistics-file
"/var/named/data/named_mem_stats.txt";
> > >         allow-query     { any; };
> > >         /*
> > >          - If you are building an AUTHORITATIVE DNS server, do
NOT
> > > enable recursion.
> > >          - If you are building a RECURSIVE (caching) DNS server,
> > > you need to enable
> > >            recursion.
> > >          - If your recursive DNS server has a public IP address,
> > > you MUST enable access
> > >            control to limit queries to your legitimate users.
> > > Failing to do so will
> > >            cause your server to become part of large scale DNS
> > > amplification
> > >            attacks. Implementing BCP38 within your network would
> > > greatly reduce such attack surface
> > >         */
> > >         allow-recursion {
> > >         127.0.0.1;
> > >         192.168.26.0/24;
> > >         192.168.27.0/24;
> > >         };
> > >
> > >
> > >         //recursion yes;
> > >         tkey-gssapi-keytab
"/usr/local/samba/private/dns.keytab";
> > >         dnssec-enable yes;
> > >         dnssec-validation yes;
> > >         /* Path to ISC DLV key */
> > >         bindkeys-file "/etc/named.iscdlv.key";
> > >         managed-keys-directory "/var/named/dynamic";
> > >         pid-file "/run/named/named.pid";
> > >         session-keyfile "/run/named/session.key";
> > > };
> > > logging {
> > >         channel default_debug {
> > >                 file "data/named.run";
> > >                 severity dynamic;
> > >         };
> > > };
> > > zone "." IN {
> > >         type hint;
> > >         file "named.ca";
> > > };
> > > //include "/etc/named.rfc1912.zones";
> > > //include "/etc/named.root.key";
> >
> >
>
> There are several things wrong with that named.conf, the biggest being
> that you haven't set any forwarders. The DNS server running on a Samba
> AD DC must be authoritative for its DNS domain, anything outside this
> domain should be forwarded to another DNS server outside the domain.
> Can I suggest you try this named.conf:
>
>  options {
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>
>         forwarders { 8.8.8.8; 8.8.4.4; };
>
>         dnssec-validation no;
>         auth-nxdomain yes;    # conform to RFC1035 =no
>         listen-on-v6 { none; };
>         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
>         notify no;
>         empty-zones-enable no;
>         allow-query { any; };
>         allow-recursion {
>         127.0.0.1/32;
>         192.168.26.0/24;
>         192.168.27.0/24;
>         };
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
> };
>
> include "/usr/local/samba/private/named.conf";
>
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
>
> It is based on your info and my known working set up, though you may
> want to change the forwarders.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>