When the samba internal DNS server forwards a query to an external DNS server the internal server does not return NXDOMAIN when it should. It returns "No answer" Using the internal DNS with forwarder: nslookup beef.burger Server: 10.0.0.196 Address: 10.0.0.196#53 Non-authoritative answer: *** Can't find beef.burger: No answer Using the external DNS server directly: nslookup > server 8.8.4.4 Default server: 8.8.4.4 Address: 8.8.4.4#53 > beef.burger Server: 8.8.4.4 Address: 8.8.4.4#53 ** server can't find beef.burger: NXDOMAIN smb.conf reporduced below. [global] netbios name = REALM realm = REALM.COM workgroup = REALM dns forwarder = 8.8.4.4 server role = active directory domain controller [netlogon] path = /usr/local/samba/var/locks/sysvol/relam.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Absolutely correct. Looks like we drop on the floor any forwarder reply that doesn't contain reply records. Let me look into the code here..
Hm, on a first glance over the code, we should be setting state->dns_err for forwarded calls the same was as we set errors for internal lookups, where we certainly handle NXDOMAIN correctly. That said, I don't think the current DNS tests test the forwarder code path.
Yes, that's how to return the error. However I'm looking at how to return that up the stack correctly but still return the authority and additional resource records, as bind seems to do. If we just set a werr on the tevent_req then it's treated as a call fail and won't return. Should have a patch to look at sometime soon(ish). Then I'll work on adding a test for this.
Hello, we can also reproduce this error. we got multiple domains in our resolv.conf search list. It seems that the internal DNS does not handle the Return of the forwarded DNS Request. Steps to reproduce: Enter an invalid DNS Name, like test.localdomain1 echo $? returns 0 Resolv.conf with multiple search entries: search localdomain1 localdomain2 if a hostname is entered only the first localdomain is checked and the other is ignored, also returns Code 0. If there is any work going on this we are happy to test this
Created attachment 15512 [details] dns_query.c patch
Created attachment 15513 [details] dns_server.c patch
Created attachment 15514 [details] dns_server.h patch
Hello, we have created a patch (Credits to longwitz@incore.de) and successfully tested with Samba 4.7.12 and FreeBSD. -> host test.localdomain1 Host test.localdomain1 not found: 3(NXDOMAIN) -> echo $? 1
This issue causes trouble to users on enterprise networks with split DNS who connect to other corporate VPNs. Windows resolver queries other configured DNS servers when it receives NXDOMAIN from the highest priority DNS server. Samba DNS server never returns NXDOMAIN for recursive queries of unknown domains and Windows resolver doesn't retry the query in such a case. With non-Samba DNS server on local network, both local services and remote VPN protected services work. With Samba DNS in local network, remote VPN protected services are unavailable because Windows stops resolving DNS queries after getting a 0 record DNS response from the local DNS server. Partial workaround is to lower the metric of VPN interface. However, this makes local network services unavailable because they're "protected" by split DNS. Unfortunately, the attached patch doesn't work for the current Samba versions. The patched code has changed considerably since Samba 4.7.