Bug 12464 - NXDOMAIN not returned from forwarded query
Summary: NXDOMAIN not returned from forwarded query
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.5.1
Hardware: All All
: P5 normal with 15 votes (vote)
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-12-07 20:10 UTC by Brendan Fidgeon (dead mail address)
Modified: 2022-12-02 16:08 UTC (History)
5 users (show)

See Also:

dns_query.c patch (2.13 KB, patch)
2019-10-07 07:26 UTC, rosenke
no flags Details
dns_server.c patch (703 bytes, patch)
2019-10-07 07:27 UTC, rosenke
no flags Details
dns_server.h patch (476 bytes, patch)
2019-10-07 07:27 UTC, rosenke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brendan Fidgeon (dead mail address) 2016-12-07 20:10:26 UTC
When the samba internal DNS server forwards a query to an external DNS server the internal server does not return NXDOMAIN when it should. It returns "No answer" 

Using the internal DNS with forwarder:

nslookup beef.burger

Non-authoritative answer:
*** Can't find beef.burger: No answer

Using the external DNS server directly:

> server
Default server:
> beef.burger

** server can't find beef.burger: NXDOMAIN

smb.conf reporduced below.

        netbios name = REALM
        realm = REALM.COM
        workgroup = REALM
        dns forwarder =
        server role = active directory domain controller

        path = /usr/local/samba/var/locks/sysvol/relam.com/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No
Comment 1 Jeremy Allison 2016-12-13 21:39:40 UTC
Absolutely correct. Looks like we drop on the floor any forwarder reply that doesn't contain reply records. Let me look into the code here..
Comment 2 Kai Blin 2016-12-14 10:50:48 UTC
Hm, on a first glance over the code, we should be setting state->dns_err for forwarded calls the same was as we set errors for internal lookups, where we certainly handle NXDOMAIN correctly.

That said, I don't think the current DNS tests test the forwarder code path.
Comment 3 Jeremy Allison 2016-12-14 16:47:46 UTC
Yes, that's how to return the error. However I'm looking at how to return that
up the stack correctly but still return the authority and additional resource records, as bind seems to do. If we just set a werr on the tevent_req then it's treated as a call fail and won't return.

Should have a patch to look at sometime soon(ish). Then I'll work on adding a test for this.
Comment 4 rosenke 2019-09-26 08:15:48 UTC
Hello, we can also reproduce this error.
we got multiple domains in our resolv.conf search list.
It seems that the internal DNS does not handle the Return of the forwarded DNS Request. 

Steps to reproduce:
Enter an invalid DNS Name, like test.localdomain1
echo $? returns 0

Resolv.conf with multiple search entries:
search localdomain1 localdomain2

if a hostname is entered only the first localdomain is checked and the other is ignored, also returns Code 0.

If there is any work going on this we are happy to test this
Comment 5 rosenke 2019-10-07 07:26:39 UTC
Created attachment 15512 [details]
dns_query.c patch
Comment 6 rosenke 2019-10-07 07:27:02 UTC
Created attachment 15513 [details]
dns_server.c patch
Comment 7 rosenke 2019-10-07 07:27:42 UTC
Created attachment 15514 [details]
dns_server.h patch
Comment 8 rosenke 2019-10-07 07:30:56 UTC
Hello, we have created a patch (Credits to longwitz@incore.de) and successfully tested with Samba 4.7.12 and FreeBSD.

-> host test.localdomain1
Host test.localdomain1 not found: 3(NXDOMAIN)
-> echo $? 
Comment 9 Fedor Piecka 2022-12-02 16:08:44 UTC
This issue causes trouble to users on enterprise networks with split DNS who connect to other corporate VPNs.

Windows resolver queries other configured DNS servers when it receives NXDOMAIN from the highest priority DNS server. Samba DNS server never returns NXDOMAIN for recursive queries of unknown domains and Windows resolver doesn't retry the query in such a case.

With non-Samba DNS server on local network, both local services and remote VPN protected services work.

With Samba DNS in local network, remote VPN protected services are unavailable because Windows stops resolving DNS queries after getting a 0 record DNS response from the local DNS server.

Partial workaround is to lower the metric of VPN interface. However, this makes local network services unavailable because they're "protected" by split DNS.

Unfortunately, the attached patch doesn't work for the current Samba versions. The patched code has changed considerably since Samba 4.7.