sebastian486 at buerotiger.de
2021-Feb-17 04:34 UTC
[Samba] Prevent Samba's internal DNS server from asking upstream DNS server about non-existent AD domain names
Hello! I'd like to make Samba's internal DNS server authoritative for my AD domain, e.g. "ad.sebastian.intranet". It shall not query the configured upstream forward DNS server for names below its AD domain. If Samba's internal DNS server doesn't know a subdomain of the AD domain name, it simply does not exist. Is that possible? I haven't found an smb.conf configuration option for that. Maybe remotely through the Windows DNS management console plugin? My setup looks like this: I have a central firewall router that routes (and filters packets) between the internet and my LAN. I run dnsmasq on this machine. I've configured dnsmasq to forward queries about *.ad.sebastian.intranet to my Samba4 AD domain controller. On the other hand, the Samba4 domain controller uses this firewall router as the upstream DNS server for external domain names, e.g. samba.org. Only the domain member machines use the Samba domain controller as their DNS server. Can I avoid a query loop if I ask the firewall DNS server for a non-existant AD subdomain? sebastian at xy.sebastian.intranet:~$ nslookup doesnotexist.ad.sebastian.intranet -> asks firewall.sebastian.intranet -> which asks sambadc1.ad.sebastian.intranet -> Samba's DNS server doesn't know subdomain "doesnotexist" -> asks upstream forward DNS server firewall.sebastian.intranet ... I'm running the current Debian 10 / buster packages of samba on amd64: https://packages.debian.org/buster/samba (2:4.9.5+dfsg-5+deb10u1) Thank you for your hints! Best wishes, Sebastian
Rowland penny
2021-Feb-17 07:54 UTC
[Samba] Prevent Samba's internal DNS server from asking upstream DNS server about non-existent AD domain names
On 17/02/2021 04:34, Sebastian via samba wrote:> Hello! > > I'd like to make Samba's internal DNS server authoritative for my AD domain, e.g. "ad.sebastian.intranet".It already should be.> It shall not query the configured upstream forward DNS server for names below its AD domain. > If Samba's internal DNS server doesn't know a subdomain of the AD domain name, it simply does not exist.Just remove the 'dns forwarder' line from your DC's smb.conf Rowland