samba - Aug 2020 - Samba DNS fails when queried with nslookup commands

Hi Rowland, 

Thats not the point here, if this is a AD-DC or not.. ;-) 
I'll explain. 

This is about, how DNS requests are done on the system and accepted by the
"dns service"
You can install unlimited DNS servers on the AD-DC and chain them, but wize..
No offcourse not. :-) Turning off systemd-resolved is probably a good idea, yes,
it is.
But it does not harm if its on as long as the DNS settings are done correctly. 

Below is a path to follow to find and know where to look to fix resolving
problems.
Keep these 2 (*3) in mind. 
A "client : dns request" think in CLI commands. 
A "client : dns service" think in a PC => IP:53 DNS requests.
(*also not included here, IPv6 .. And ipv6 prefers over IPv4 if both are
set/used.)

First, 
His resolv.conf or the assigned DNS server in the network setting is simply
wrong.
*(there is/was a know bug related to DNS in : /etc/netplan/01-netcfg.yaml  For
example.
*( which is adressed, in the manual i have online.
Biggest chance this is the problem. Non DNS is set in the netconf.yaml. 
If netplan is used (default on ubuntu) 
editor /etc/netplan/01-netcfg.yaml 
netplan --debug generate
And check again. 

Second, 
Even if systemd-resolved is running it only runs on and with setting : 
127.0.0.51:53
No other DNS server is running on that adress and port. 
If above (1) is correct, then this points to errors in /etc/resolv.conf 
Most probley the first DNS nameserver in resolv.conf is set to 127.0.0.51:53 
* do note, you might have a symlinked resolv.conf, which is fine but the setup
must be correctly done.
Think in : Which program is filling the symlinked resolv.conf? Then that where
it needs fixing.

Thirth, (most important) 
This is how a client and server its DNS request are done. 
Per example, ON the AD-DC, running on cli host/nslookup etc. is a
"client" DNS request.
This uses /etc/resolv.conf and the path is should follow.

If a pc contacts the DC-DNS it just connects to the server DNS at IP:53 
No resolv.conf is involved here, its just quering the DNS itself. A
"client(pc)" 2 "DNS service (ip:port)" request.
This points to (if systemd networking is used) its network config files. 
It also 'might' hit incorrect resolv.conf here. 

Can you use systemd-resolved on an AD-DC, yes, you can, wize, thats an other
question.
Why "would" we use it. If you do lots of scripting and resolving from
CLI, then it can be used.
But chaining the DNS resolving must be perfectly set. 

nslookup hostname  # if failes, ip dns servers to check and search/domain in
resolv.conf
nslookup hostname.fqdn  # if failes, ip dns servers to check in resolv.conf 
	(or where these are set, like 01-netcfg.yaml or systemd-networkd folder/files )
nslookup hostname.fqdn @hostname.fqdn 
  # if fails, firewall if dns is external queried. Fix firewall.
  # if fails, dns is intern queried. (ad-dns) not running fix internal DNS, or
wrong IP.
Verify /etc/hosts and DNS A/PTR records. 
Verify if any DNS is running and on this ip/port. 

A) nslookup hostname.fqdn @ip-AD-DNS 
B) nslookup hostname.fqdn @ip-any-internet DNS (test 1.1.1.1 and 8.8.8.8) 
a) fails, DNS not running on AD-DC. 
b) fails, a firewall is blocking your requests. 

I hope this helps othere also in howto find/detect where the error is make. 
Offcourse there are more ways to test, above is a guidance.. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 13 augustus 2020 9:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba DNS fails when queried with 
> nslookup commands
> 
> On 13/08/2020 08:19, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > Only the forwarder is running in this systemd setup.
> > This :  127.0.0.53:53 does NOT conflict with normaly 
> resolv.conf setting
> > Because samba or any dns server does not run on 127.0.0.53
> > Dont make the mistake to see this for : 127.0.0.1
> Problem with that is (and it is what myself and Louis fall out over), 
> this is a DC and, in my opinion, there shouldn't be anything 
> between the 
> client and DC. Turning off systemd-resolved is probably a 
> good idea, but 
> Louis is correct, Samba apparently isn't listening on IPv4_address:53
> 
> Might be an idea to see the smb.conf and resolv.conf from the DC.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 13/08/2020 09:29, L.P.H. van Belle via samba wrote:
> Hi Rowland,
>
> Thats not the point here, if this is a AD-DC or not.. ;-)
Hi Louis, cannot argue with anything you posted, but I am a minimalist, 
why run something that isn't strictly needed or add default settings to 
a conf file ?

In my opinion (for what it's worth), the only thing running, dns wise, 
on a DC, should be the DC or Bind9, depending on which is the dns 
server. running anything else is just more to debug if there is an error.

Rowland

Hai Rowland,  
> 
> Hi Louis, cannot argue with anything you posted, but I am a 
> minimalist, why run something that isn't strictly needed or
> add default settings to a conf file ?
Same here, im a minimalist also with the installs. 
But based on my experience, i try to keep system defaults at 
much in place as they are and use that to the best. 

Why? Way less problems when you have upgrades and dist upgrades.
This is why i keep things as much as is. 
(and if needed adjsut after the base is set)

Its not questioning you or what you said..
(maybe i should have added this in the previous mail) :-/ 
> 
> In my opinion (for what it's worth), the only thing running, 
Now this.. , please remind yourself, i alway highly appreciate your opinions. 
Pointing to : (for what it's worth) ... 

Even if we have a (small) mismatch in our views, never ever question that again
please.
Really.. Dont..  This is just because we have a different and overlapping skill
set.
Which is great in my opinion. We fill one other where needed. 
> dns wise, on a DC, should be the DC or Bind9, depending on which is the dns
> server. running anything else is just more to debug if there is an error.
I can't argue that, but in every system setup what i do, 
I use the default first, make everything work as it should 
Then adjust it, it saves a lot of problems and makes problems better to
backtrack.

I know im bad in writing these "kindly ment" emails, and people often
see them as not kindly,
 :-( happens here in the office also, one of my "must improve" points
.. I know.

Sorry if i heard your feelings or made you think im questioning you. 
Because i am not..  


Greetz, 

Louis

On 13/08/2020 10:30, L.P.H. van Belle via samba wrote:
> Hai Rowland,
>
>> Hi Louis, cannot argue with anything you posted, but I am a
>> minimalist, why run something that isn't strictly needed or
>> add default settings to a conf file ?
> Same here, im a minimalist also with the installs.
> But based on my experience, i try to keep system defaults at
> much in place as they are and use that to the best.
>
> Why? Way less problems when you have upgrades and dist upgrades.
> This is why i keep things as much as is.
> (and if needed adjsut after the base is set)
>
> Its not questioning you or what you said..
> (maybe i should have added this in the previous mail) :-/
>
>> In my opinion (for what it's worth), the only thing running,
> Now this.. , please remind yourself, i alway highly appreciate your
opinions.
> Pointing to : (for what it's worth) ...
>
> Even if we have a (small) mismatch in our views, never ever question that
again please.
> Really.. Dont..  This is just because we have a different and overlapping
skill set.
> Which is great in my opinion. We fill one other where needed.
>
>> dns wise, on a DC, should be the DC or Bind9, depending on which is the
dns
>> server. running anything else is just more to debug if there is an
error.
> I can't argue that, but in every system setup what i do,
> I use the default first, make everything work as it should
> Then adjust it, it saves a lot of problems and makes problems better to
backtrack.
>
> I know im bad in writing these "kindly ment" emails, and people
often see them as not kindly,
>   :-( happens here in the office also, one of my "must improve"
points .. I know.
>
> Sorry if i heard your feelings or made you think im questioning you.
> Because i am not..

No, you have never hurt my feelings and I was just trying to point out 
the differences between our methods :D

You use as many defaults as possible, whilst I rip out anything that 
duplicates actions, I suppose it comes from my mechanical background. 
There is nothing wrong with either method, both will work.

Rowland