I have defined 2 DNS forwarders in smb.conf first dns1, second dns2 (using their IPs) I have a chain of DNS servers: samba DC1 -> dns1 -> edns1 -> WORLD samba DC1 -> dns2 -> edns2 -> WORLD Problem: When the server "edns1" is down, the "dns1" returns ServFail and then DC1 fails to resolve the queried name. It doesn't ask the "dns2". 18:14:57.169008 IP dc2.navidom.office.navi.pl.53689 > dns1.local.navi.pl.domain: 38948+ A? wiocha.pl. (27) 18:14:57.169867 IP dns1.local.navi.pl.domain > dc2.navidom.office.navi.pl.53689: 38948 ServFail 0/0/0 (27) 18:14:57.170110 IP dc2.navidom.office.navi.pl.34895 > dns1.local.navi.pl.domain: 50840+ AAAA? wiocha.pl. (27) 18:14:57.170542 IP dns1.local.navi.pl.domain > dc2.navidom.office.navi.pl.34895: 50840 ServFail 0/0/0 (27) This is rather critical issue as every domain member is unable to get any DNS responses that are outside of domain. When the "dns1" is down - then DC1 works as expected and asks "dns2". 18:16:15.446797 IP dc2.navidom.office.navi.pl.35534 > dns1.local.navi.pl.domain: 51980+ A? wiocha.pl. (27) 18:16:15.447520 IP dc2.navidom.office.navi.pl.44450 > dns2.local.navi.pl.domain: 12263+ A? wiocha.pl. (27) 18:16:15.561061 IP dns2.local.navi.pl.domain > dc2.navidom.office.navi.pl.44450: 12263 3/0/0 A 51.255.52.131, A 188.165.20.150, A 188.165.22.250 (75)
(In reply to olaf from comment #0) Lets see if I understand this correctly, you have something like this in your DC's smb.conf: dns forwarder = ip_of_dns1 ip_of_dns2 You are using the internal dns server. Clients ask the DC for something outside the AD domain, this request is forwarded to dns1, which also hasn't got a clue, so it asks edns1. edns1 has fallen over so returns nothing, after a period of time dns1 returns ServFail. If this is the case (and it sounds like it is), it has nothing to do with Samba. Samba is asking the first forwarder in its list and getting an answer. Why are you forwarding to two dns servers that have to ask two other dns servers ? Why not just have 'dns forwarder = ip_of_edns1 ip_of_edns2 Why didn't you ask on the samba mailing list before opening a bug report ?
Yes, it is the case. The dns1 has some internal DNS zones that are not available on edns1. The dns1 cannot talk to outside world directly, only through edns1. Why samba is not asking the second forwarder if it gets answer from the first forwarder that the server has failed? If I have bind with 2 forwarders defined - in place of samba dc - it asks first forwarder, gets ServFail and then asks second forwarder. As bind works in this scenario and samba not, I consider it as a bug. If there is a DNS server in the chain that fails - there is no redundancy. Regarding the list - I probably should, will do next time.
(In reply to olaf from comment #2) The internal dns server is a bit basic, it does what it was designed for, to be a dns server for a Samba AD domain. It probably should try another dns forwarder if it gets ServFail from the the first, but seemingly there isn't the code for this, patches to fix this would be welcome. Have you tried running Bind9 on the DC instead of the internal dns server ?
No, I haven't tried the samba+bind setup. The internal samba DNS is much simpler solution and there is one less thing to manage. And unless we had a problem with the edns1, it did the job perfectly. I'll workaround this by changing config on dns1 and dns2 to point to both edns1 and edns2 on each of them. It should solve my problem. I took a look at the samba dns_server code, before submitting the bug, but frankly, I'm not a DNS expert and I coded years ago - so I'm not able to make a patch for this case. I understand the internal DNS server is not a full DNS solution - maybe you could just add this to limitations on samba DNS wiki page. It may help someone else, as it is not easy to spot - only when something goes wrong. In this case the importance should be changed to enhancement probably.
(In reply to olaf from comment #4) On the https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End wikipage, under 'Introduction', it says this: The Samba Active Directory (AD) domain controller (DC) provides an internal DNS server that supports the basic feature required in an AD. It is easy to configure and requires no additional software or knowledge about DNS. The INTERNAL_DNS back end is recommended for simple DNS setups. Your setup seems nothing like simple ;-)