14755 – Not trying second DNS forwarder after the first replies ServFail

Bug 14755 - Not trying second DNS forwarder after the first replies ServFail

Summary: Not trying second DNS forwarder after the first replies ServFail

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS server (internal) (show other bugs)
Version:	4.14.6
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-13 16:42 UTC by olaf
Modified:	2021-07-14 12:19 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description olaf 2021-07-13 16:42:23 UTC

I have defined 2 DNS forwarders in smb.conf

first dns1, second dns2 (using their IPs)

I have a chain of DNS servers:

samba DC1 -> dns1 -> edns1 -> WORLD

samba DC1 -> dns2 -> edns2 -> WORLD

Problem:

When the server "edns1" is down, the "dns1" returns ServFail and then DC1 fails to resolve the queried name. It doesn't ask the "dns2".

18:14:57.169008 IP dc2.navidom.office.navi.pl.53689 > dns1.local.navi.pl.domain: 38948+ A? wiocha.pl. (27)
18:14:57.169867 IP dns1.local.navi.pl.domain > dc2.navidom.office.navi.pl.53689: 38948 ServFail 0/0/0 (27)
18:14:57.170110 IP dc2.navidom.office.navi.pl.34895 > dns1.local.navi.pl.domain: 50840+ AAAA? wiocha.pl. (27)
18:14:57.170542 IP dns1.local.navi.pl.domain > dc2.navidom.office.navi.pl.34895: 50840 ServFail 0/0/0 (27)

This is rather critical issue as every domain member is unable to get any DNS responses that are outside of domain.

When the "dns1" is down - then DC1 works as expected and asks "dns2".
18:16:15.446797 IP dc2.navidom.office.navi.pl.35534 > dns1.local.navi.pl.domain: 51980+ A? wiocha.pl. (27)
18:16:15.447520 IP dc2.navidom.office.navi.pl.44450 > dns2.local.navi.pl.domain: 12263+ A? wiocha.pl. (27)
18:16:15.561061 IP dns2.local.navi.pl.domain > dc2.navidom.office.navi.pl.44450: 12263 3/0/0 A 51.255.52.131, A 188.165.20.150, A 188.165.22.250 (75)

Comment 1 Rowland Penny 2021-07-13 18:18:53 UTC

(In reply to olaf from comment #0)

Lets see if I understand this correctly, you have something like this in your DC's smb.conf:

dns forwarder = ip_of_dns1 ip_of_dns2

You are using the internal dns server.

Clients ask the DC for something outside the AD domain, this request is forwarded to dns1, which also hasn't got a clue, so it asks edns1. edns1 has fallen over so returns nothing, after a period of time dns1 returns ServFail.

If this is the case (and it sounds like it is), it has nothing to do with Samba. Samba is asking the first forwarder in its list and getting an answer.

Why are you forwarding to two dns servers that have to ask two other dns servers ?
Why not just have 'dns forwarder = ip_of_edns1 ip_of_edns2

Why didn't you ask on the samba mailing list before opening a bug report ?

Comment 2 olaf 2021-07-13 19:36:54 UTC

Yes, it is the case.
The dns1 has some internal DNS zones that are not available on edns1. 
The dns1 cannot talk to outside world directly, only through edns1.

Why samba is not asking the second forwarder if it gets answer from the first forwarder that the server has failed?

If I have bind with 2 forwarders defined - in place of samba dc -  it asks first forwarder, gets ServFail and then asks second forwarder.

As bind works in this scenario and samba not, I consider it as a bug. If there is a DNS server in the chain that fails - there is no redundancy.

Regarding the list - I probably should, will do next time.

Comment 3 Rowland Penny 2021-07-14 06:56:39 UTC

(In reply to olaf from comment #2)

The internal dns server is a bit basic, it does what it was designed for, to be a dns server for a Samba AD domain. It probably should try another dns forwarder if it gets ServFail from the the first, but seemingly there isn't the code for this, patches to fix this would be welcome.

Have you tried running Bind9 on the DC instead of the internal dns server ?

Comment 4 olaf 2021-07-14 08:44:22 UTC

No, I haven't tried the samba+bind setup. The internal samba DNS is much simpler solution and there is one less thing to manage. And unless we had a problem with the edns1, it did the job perfectly.

I'll workaround this by changing config on dns1 and dns2 to point to both edns1 and edns2 on each of them. It should solve my problem.

I took a look at the samba dns_server code, before submitting the bug, but frankly, I'm not a DNS expert and I coded years ago - so I'm not able to make a patch for this case.

I understand the internal DNS server is not a full DNS solution - maybe you could just add this to limitations on samba DNS wiki page. It may help someone else, as it is not easy to spot - only when something goes wrong. In this case the importance should be changed to enhancement probably.

Comment 5 Rowland Penny 2021-07-14 12:19:40 UTC

(In reply to olaf from comment #4)

On the https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End wikipage, under 'Introduction', it says this:

The Samba Active Directory (AD) domain controller (DC) provides an internal DNS server that supports the basic feature required in an AD. It is easy to configure and requires no additional software or knowledge about DNS. The INTERNAL_DNS back end is recommended for simple DNS setups.

Your setup seems nothing like simple ;-)