When the samba internal DNS server forwards a query to an external DNS server the internal server does not return NXDOMAIN when it should. It returns "No answer"
Using the internal DNS with forwarder:
*** Can't find beef.burger: No answer
Using the external DNS server directly:
> server 22.214.171.124
Default server: 126.96.36.199
** server can't find beef.burger: NXDOMAIN
smb.conf reporduced below.
netbios name = REALM
realm = REALM.COM
workgroup = REALM
dns forwarder = 188.8.131.52
server role = active directory domain controller
path = /usr/local/samba/var/locks/sysvol/relam.com/scripts
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
Absolutely correct. Looks like we drop on the floor any forwarder reply that doesn't contain reply records. Let me look into the code here..
Hm, on a first glance over the code, we should be setting state->dns_err for forwarded calls the same was as we set errors for internal lookups, where we certainly handle NXDOMAIN correctly.
That said, I don't think the current DNS tests test the forwarder code path.
Yes, that's how to return the error. However I'm looking at how to return that
up the stack correctly but still return the authority and additional resource records, as bind seems to do. If we just set a werr on the tevent_req then it's treated as a call fail and won't return.
Should have a patch to look at sometime soon(ish). Then I'll work on adding a test for this.
Hello, we can also reproduce this error.
we got multiple domains in our resolv.conf search list.
It seems that the internal DNS does not handle the Return of the forwarded DNS Request.
Steps to reproduce:
Enter an invalid DNS Name, like test.localdomain1
echo $? returns 0
Resolv.conf with multiple search entries:
search localdomain1 localdomain2
if a hostname is entered only the first localdomain is checked and the other is ignored, also returns Code 0.
If there is any work going on this we are happy to test this
Created attachment 15512 [details]
Created attachment 15513 [details]
Created attachment 15514 [details]
Hello, we have created a patch (Credits to firstname.lastname@example.org) and successfully tested with Samba 4.7.12 and FreeBSD.
-> host test.localdomain1
Host test.localdomain1 not found: 3(NXDOMAIN)
-> echo $?
This issue causes trouble to users on enterprise networks with split DNS who connect to other corporate VPNs.
Windows resolver queries other configured DNS servers when it receives NXDOMAIN from the highest priority DNS server. Samba DNS server never returns NXDOMAIN for recursive queries of unknown domains and Windows resolver doesn't retry the query in such a case.
With non-Samba DNS server on local network, both local services and remote VPN protected services work.
With Samba DNS in local network, remote VPN protected services are unavailable because Windows stops resolving DNS queries after getting a 0 record DNS response from the local DNS server.
Partial workaround is to lower the metric of VPN interface. However, this makes local network services unavailable because they're "protected" by split DNS.
Unfortunately, the attached patch doesn't work for the current Samba versions. The patched code has changed considerably since Samba 4.7.