Hello All,
I hope you can assist me,
I'm running Bind DLZ with our Samba AD DC environment
Bind: BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version)
Samba: Version 4.11.6-SerNet-RedHat-9.el7
OS: Red Hat Enterprise Linux Server release 7.7 (Maipo)
My DNS queries seems to be hanging intermittently, taking anything from
1sec - 15sec or even timing out.
I'm been monitoring the IPv4 requests and peaking at 1800 req/s and my
success requests are sitting at 60req/s.
Is there anything I might be missing in my named config?
I have about 5000+ devices in my domain.
See below bind config,
# cat /etc/named.conf
# Global Configuration Options
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
include "/var/lib/samba/bind-dns/named.conf";
options {
version "";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on port 53 { <Server IP>; 127.0.0.1; };
recursive-clients 4000;
tcp-clients 400;
clients-per-query 30;
max-clients-per-query 50;
# IP addresses and network ranges allowed to query the DNS server:
allow-query { any; };
allow-query-cache { any; };
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
recursion yes;
allow-recursion { any; };
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
DC1;
DC2;
DC3;
DC4;
DC5;
};
# Disable zone transfers
allow-transfer {
127.0.0.1;
};
};
# Root Servers
# (Required for recursive DNS queries)
zone "." {
type hint;
file "named.root";
};
# localhost zone
zone "localhost" {
type master;
file "master/localhost.zone";
};
# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
--
Eben Victor
Cell: +27 82 759 5266
Email: eben.victor at gmail.com
On 28/02/2020 08:46, Eben Victor via samba wrote:> Hello All, > > I hope you can assist me, > I'm running Bind DLZ with our Samba AD DC environment > > Is there anything I might be missing in my named config?Well, yes and then again, no ;-)> See below bind config, > # cat /etc/named.conf > # Global Configuration Options > > statistics-channels { > inet 127.0.0.1 port 8653 allow { 127.0.0.1; }; > }; > > include "/var/lib/samba/bind-dns/named.conf"; > > options { > > version ""; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > auth-nxdomain yes; > directory "/var/named"; > notify no; > empty-zones-enable no; > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > minimal-responses yes; > > dnssec-validation no; > dnssec-enable no; > dnssec-lookaside no; > > listen-on port 53 { <Server IP>; 127.0.0.1; }; > > # IP addresses and network ranges allowed to query the DNS server: > allow-query { any; }; > > # IP addresses and network ranges allowed to run recursive queries: > # (Zones not served by this DNS server) > allow-recursion { any; }; > > # Forward queries that can not be answered from own zones > # to these DNS servers: > forwarders { > DC1; > DC2; > DC3; > DC4; > DC5; > }; > };OK, i have removed lines from 'options' that you do not need ;-) The one thing I haven't changed and you definitely need to, are the forwarders, you cannot forward to another DC. you need to forward to DNS servers outside your AD dns domain, Googles for example. Everything else in named.conf is okay It may help if you also post your smb.conf file. Rowland
Thanks Rowland, I have removed from options, and amended the forwarders.
[global]
workgroup = <MYDOMAIN>
realm = <MYDOMAIN>.CORP
netbios name = <HOSTNAME>
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
idmap config * : range = 3000-7999 ----------> If I remove the
portion I get errors -> idmap range not specified for domain '*'
guest account = nobody
restrict anonymous = 1
winbind max clients = 2000
log level = 1 auth_audit:3 auth_json_audit:3 dns:10 dsdb_audit:3
dsdb_json_audit:3
max log size = 10000
ldap server require strong auth = no
ntlm auth = mschapv2-and-ntlmv2-only
template homedir = /home/<mydomain>.corp/%U
template shell = /bin/bash
interfaces = lo ens192
bind interfaces only = yes
server services = -dns
prefork children = 8
# Disable printer share
load printers = No
printcap name = /dev/null
disable spoolss = Yes
# Enable Vodadealers TLS
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /var/lib/samba/sysvol/<mydomain>.corp/scripts
read only = Yes
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
Also see below resolv.conf
search mydomain.corp otherdomain.corp otherdomain.net otherdomain.co.za
mydomain.co.za
nameserver DC2
nameserver DC3
nameserver DC1
nameserver DC5
nameserver DC6
nameserver DC4
Regards
On Fri, Feb 28, 2020 at 11:07 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 28/02/2020 08:46, Eben Victor via samba wrote:
> > Hello All,
> >
> > I hope you can assist me,
> > I'm running Bind DLZ with our Samba AD DC environment
> >
> > Is there anything I might be missing in my named config?
> Well, yes and then again, no ;-)
> > See below bind config,
> > # cat /etc/named.conf
> > # Global Configuration Options
> >
> > statistics-channels {
> > inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
> > };
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> > options {
> >
> > version "";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > memstatistics-file
"/var/named/data/named_mem_stats.txt";
> > auth-nxdomain yes;
> > directory "/var/named";
> > notify no;
> > empty-zones-enable no;
> > tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
> > minimal-responses yes;
> >
> > dnssec-validation no;
> > dnssec-enable no;
> > dnssec-lookaside no;
> >
> > listen-on port 53 { <Server IP>; 127.0.0.1; };
> >
> > # IP addresses and network ranges allowed to query the DNS
server:
> > allow-query { any; };
> >
> > # IP addresses and network ranges allowed to run recursive
queries:
> > # (Zones not served by this DNS server)
> > allow-recursion { any; };
> >
> > # Forward queries that can not be answered from own zones
> > # to these DNS servers:
> > forwarders {
> > DC1;
> > DC2;
> > DC3;
> > DC4;
> > DC5;
> > };
> > };
>
> OK, i have removed lines from 'options' that you do not need ;-)
>
> The one thing I haven't changed and you definitely need to, are the
> forwarders, you cannot forward to another DC. you need to forward to DNS
> servers outside your AD dns domain, Googles for example.
>
> Everything else in named.conf is okay
>
> It may help if you also post your smb.conf file.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Eben Victor
Cell: +27 82 759 5266
Email: eben.victor at gmail.com
Add in resolv.conf options rotate Or only the first 3 nameservers are used. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Eben > Victor via samba > Verzonden: vrijdag 28 februari 2020 10:21 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries > > Thanks Rowland, I have removed from options, and amended the > forwarders. > > [global] > workgroup = <MYDOMAIN> > realm = <MYDOMAIN>.CORP > netbios name = <HOSTNAME> > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > idmap config * : range = 3000-7999 ----------> If I remove the > portion I get errors -> idmap range not specified for domain '*' > guest account = nobody > restrict anonymous = 1 > winbind max clients = 2000 > log level = 1 auth_audit:3 auth_json_audit:3 dns:10 > dsdb_audit:3 > dsdb_json_audit:3 > max log size = 10000 > ldap server require strong auth = no > ntlm auth = mschapv2-and-ntlmv2-only > template homedir = /home/<mydomain>.corp/%U > template shell = /bin/bash > interfaces = lo ens192 > bind interfaces only = yes > server services = -dns > prefork children = 8 > > # Disable printer share > load printers = No > printcap name = /dev/null > disable spoolss = Yes > > # Enable Vodadealers TLS > tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > > [netlogon] > path = /var/lib/samba/sysvol/<mydomain>.corp/scripts > read only = Yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = Yes > > Also see below resolv.conf > > search mydomain.corp otherdomain.corp otherdomain.net > otherdomain.co.za > mydomain.co.za > nameserver DC2 > nameserver DC3 > nameserver DC1 > nameserver DC5 > nameserver DC6 > nameserver DC4 > > Regards > > On Fri, Feb 28, 2020 at 11:07 AM Rowland penny via samba < > samba at lists.samba.org> wrote: > > > On 28/02/2020 08:46, Eben Victor via samba wrote: > > > Hello All, > > > > > > I hope you can assist me, > > > I'm running Bind DLZ with our Samba AD DC environment > > > > > > Is there anything I might be missing in my named config? > > Well, yes and then again, no ;-) > > > See below bind config, > > > # cat /etc/named.conf > > > # Global Configuration Options > > > > > > statistics-channels { > > > inet 127.0.0.1 port 8653 allow { 127.0.0.1; }; > > > }; > > > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > options { > > > > > > version ""; > > > dump-file "/var/named/data/cache_dump.db"; > > > statistics-file "/var/named/data/named_stats.txt"; > > > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > > auth-nxdomain yes; > > > directory "/var/named"; > > > notify no; > > > empty-zones-enable no; > > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > > minimal-responses yes; > > > > > > dnssec-validation no; > > > dnssec-enable no; > > > dnssec-lookaside no; > > > > > > listen-on port 53 { <Server IP>; 127.0.0.1; }; > > > > > > # IP addresses and network ranges allowed to query > the DNS server: > > > allow-query { any; }; > > > > > > # IP addresses and network ranges allowed to run > recursive queries: > > > # (Zones not served by this DNS server) > > > allow-recursion { any; }; > > > > > > # Forward queries that can not be answered from own zones > > > # to these DNS servers: > > > forwarders { > > > DC1; > > > DC2; > > > DC3; > > > DC4; > > > DC5; > > > }; > > > }; > > > > OK, i have removed lines from 'options' that you do not need ;-) > > > > The one thing I haven't changed and you definitely need to, are the > > forwarders, you cannot forward to another DC. you need to > forward to DNS > > servers outside your AD dns domain, Googles for example. > > > > Everything else in named.conf is okay > > > > It may help if you also post your smb.conf file. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > Eben Victor > Cell: +27 82 759 5266 > Email: eben.victor at gmail.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Fri, 2020-02-28 at 10:46 +0200, Eben Victor via samba wrote:> Hello All, > > I hope you can assist me, > I'm running Bind DLZ with our Samba AD DC environment > > Bind: BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version) > Samba: Version 4.11.6-SerNet-RedHat-9.el7 > OS: Red Hat Enterprise Linux Server release 7.7 (Maipo) > > My DNS queries seems to be hanging intermittently, taking anything from > 1sec - 15sec or even timing out. > > I'm been monitoring the IPv4 requests and peaking at 1800 req/s and my > success requests are sitting at 60req/s. > > Is there anything I might be missing in my named config?> I have about 5000+ devices in my domain.Thanks. This is a known issue. What we suggest is that you run two BIND servers, one as the main caching forwarder to the internet, and another on Samba (or run internal DNS on Samba). Point your Samba zones to Samba using a zone of type "forward" on your caching bind server. The issue is that bind9 is checking if Samba hosts every single zone on the internet, which bogs things down pretty badly. BIND9 holds a global lock on the sam.ldb and all the internal bind threads wait behind this, even if they could be doing something else (talking to the internet), they just wait rather than retry later. I'm glad to hear you are already using minimal-responses, that will also make a difference. I hope this helps. We debugged exactly this issue for a number of our clients and this is what worked for them. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba