L.P.H. van Belle
2019-Feb-20 10:17 UTC
[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mgr. > Peter Tuharsky via samba > Verzonden: woensdag 20 februari 2019 10:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba + BIND9 DLZ. DNS dosen't resolve > FQDN, only short hostname > > Well, the mystery is solved. It WAS Avahi, in a way...This is said wrong. ...> Eventhough it was disabled as a daemon, > it still haunted the system by the means of nsswitch.conf > > In the 'hosts' line, the Debian default entry 'mdns4_minimal > [NOTFOUND=return]' does exactly what we don't want - for > .local domains > it asks Avahi and if it dosen't know, it never asks the other > services, > such as dns etc.And wrong is `the domain is .local` Why o why is .local use. That is a reserved name for mDNS (avahi).. Yes. So what happend here is TOTALY CORRECT. Here the problem is you are using .local> > I hope the documentation (Wiki) should be more vocal about that - that > if the domain is .local, the 'dns' entry MUST precede 'mdns4_minimal' > and 'mdns4' entries.Possible yes, but if correctly setup, not needed. And a bit ahead thinking people... Future systems, will mostly use systemd, if we like it or not. Then if systemd is use correctly and you use the systemd-resolvd, you get this. A random new server im setting up, not a samba server, but that not the point, the point is resolving, And what you see in this output. sudo resolvectl ( the defaults ) Global LLMNR setting: yes MulticastDNS setting: yes DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Fallback DNS Servers: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test So what you shouldn't be using for samba domains: .corp .home .internal .intranet .lan .local .private .test More ahead, about LLMNR https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution See also.. Network Basic Input/Output System (NetBIOS) Peer Name Resolution Protocol (Pt DNS (mDNS) Zero-configuration networking (Zeroconf) Now mix this and what do you get. Samba + avahi and the use for LLMNR to replace netbios. But is this what you want.. I dont think so. Read : https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials https://attack.mitre.org/techniques/T1171/ So why again is it so important to have a perfect dns setup..... So you dont have to use LLMNR or netbios anymore. But if you setup correct, avahi and dns can exist fine on a samba network. But again, this is my personal opinion, not recommended. Greetz, Louis
Rowland Penny
2019-Feb-20 10:33 UTC
[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
On Wed, 20 Feb 2019 11:17:05 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mgr. > > Peter Tuharsky via samba > > Verzonden: woensdag 20 februari 2019 10:28 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba + BIND9 DLZ. DNS dosen't resolve > > FQDN, only short hostname > > > > Well, the mystery is solved. It WAS Avahi, in a way... > This is said wrong. ... > > > Eventhough it was disabled as a daemon, > > it still haunted the system by the means of nsswitch.conf > > > > In the 'hosts' line, the Debian default entry 'mdns4_minimal > > [NOTFOUND=return]' does exactly what we don't want - for > > .local domains > > it asks Avahi and if it dosen't know, it never asks the other > > services, > > such as dns etc. > > And wrong is `the domain is .local` > Why o why is .local use. That is a reserved name for mDNS (avahi).. > Yes. So what happend here is TOTALY CORRECT. Here the problem is you > are using .local > > > > > I hope the documentation (Wiki) should be more vocal about that - > > that if the domain is .local, the 'dns' entry MUST precede > > 'mdns4_minimal' and 'mdns4' entries. > > Possible yes, but if correctly setup, not needed. > And a bit ahead thinking people... Future systems, will mostly use > systemd, if we like it or not.Seemingly not on a Tesla: https://www.reddit.com/r/teslamotors/comments/92uu0x/model_3_has_a_hidden_web_browser/ Rowland
Mgr. Peter Tuharsky
2019-Feb-20 13:52 UTC
[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
Hm, I thought this to be the very TLD that is specifically assigned for local networks with no plans to become Internet-wide. What is the recommended TLD for such networks then? Dňa 20. 2. 2019 o 11:33 Rowland Penny via samba napísal(a):> On Wed, 20 Feb 2019 11:17:05 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hai, >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mgr. >>> Peter Tuharsky via samba >>> Verzonden: woensdag 20 februari 2019 10:28 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Samba + BIND9 DLZ. DNS dosen't resolve >>> FQDN, only short hostname >>> >>> Well, the mystery is solved. It WAS Avahi, in a way... >> This is said wrong. ... >> >>> Eventhough it was disabled as a daemon, >>> it still haunted the system by the means of nsswitch.conf >>> >>> In the 'hosts' line, the Debian default entry 'mdns4_minimal >>> [NOTFOUND=return]' does exactly what we don't want - for >>> .local domains >>> it asks Avahi and if it dosen't know, it never asks the other >>> services, >>> such as dns etc. >> And wrong is `the domain is .local` >> Why o why is .local use. That is a reserved name for mDNS (avahi).. >> Yes. So what happend here is TOTALY CORRECT. Here the problem is you >> are using .local >> >>> I hope the documentation (Wiki) should be more vocal about that - >>> that if the domain is .local, the 'dns' entry MUST precede >>> 'mdns4_minimal' and 'mdns4' entries. >> Possible yes, but if correctly setup, not needed. >> And a bit ahead thinking people... Future systems, will mostly use >> systemd, if we like it or not. > Seemingly not on a Tesla: > > https://www.reddit.com/r/teslamotors/comments/92uu0x/model_3_has_a_hidden_web_browser/ > > Rowland > >
Mgr. Peter Tuharsky
2019-Feb-20 14:04 UTC
[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
Well, finally I found the recommendations against .local here: https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ However, still, the originating wiki should AFAIK be more verbose. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller For now it only says "Make sure that you provision the AD using a DNS domain that will not need to be changed. Samba does not support renaming the AD DNS zone and Kerberos realm. For additional information, see Active Directory Naming FAQ." I wish this would indicate somehow, that some TLD's are very problematic and strongly discouraged. I took this notice like this: "I'm sure I won't need to rename, so I don't need to read the Additional information on AD Naming." Dňa 20. 2. 2019 o 11:33 Rowland Penny via samba napísal(a):> On Wed, 20 Feb 2019 11:17:05 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hai, >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mgr. >>> Peter Tuharsky via samba >>> Verzonden: woensdag 20 februari 2019 10:28 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Samba + BIND9 DLZ. DNS dosen't resolve >>> FQDN, only short hostname >>> >>> Well, the mystery is solved. It WAS Avahi, in a way... >> This is said wrong. ... >> >>> Eventhough it was disabled as a daemon, >>> it still haunted the system by the means of nsswitch.conf >>> >>> In the 'hosts' line, the Debian default entry 'mdns4_minimal >>> [NOTFOUND=return]' does exactly what we don't want - for >>> .local domains >>> it asks Avahi and if it dosen't know, it never asks the other >>> services, >>> such as dns etc. >> And wrong is `the domain is .local` >> Why o why is .local use. That is a reserved name for mDNS (avahi).. >> Yes. So what happend here is TOTALY CORRECT. Here the problem is you >> are using .local >> >>> I hope the documentation (Wiki) should be more vocal about that - >>> that if the domain is .local, the 'dns' entry MUST precede >>> 'mdns4_minimal' and 'mdns4' entries. >> Possible yes, but if correctly setup, not needed. >> And a bit ahead thinking people... Future systems, will mostly use >> systemd, if we like it or not. > Seemingly not on a Tesla: > > https://www.reddit.com/r/teslamotors/comments/92uu0x/model_3_has_a_hidden_web_browser/ > > Rowland > >