When Samba's internal DNS server forwards a query to an upstream resolver and receives an NXDOMAIN response, it returns NODATA (NOERROR with empty answer section) to the client instead of passing through the NXDOMAIN. This breaks DNS search list iteration on clients, as glibc and systemd-resolved only continue iterating the search list on NXDOMAIN, not NODATA. root@dc03:/home/dietpi# tcpdump -n -i lo 'port 5353 or port 53' tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes 20:31:50.095452 IP 127.0.0.1.52653 > 127.0.0.1.53: 11236+ [1au] A? hv01.fritz.box. (55) 20:31:50.095593 IP 127.0.0.1.44375 > 127.0.0.1.5353: 15314+ [1au] A (QM)? hv01.fritz.box. (43) 20:31:50.095662 IP 127.0.0.1.5353 > 127.0.0.1.44375: 15314 NXDomain* 0/0/1 (43) 20:31:50.095719 IP 127.0.0.1.53 > 127.0.0.1.52653: 11236$ 0/0/1 (43) ^C 4 packets captured 8 packets received by filter 0 packets dropped by kernel root@dc03:/home/dietpi# samba --version Version 4.23.5 uname -a Linux dc03 6.12.62+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.12.62-1+rpt1 (2025-12-18) aarch64 GNU/Linux cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 13 (trixie)" NAME="Debian GNU/Linux" VERSION_ID="13" VERSION="13 (trixie)" VERSION_CODENAME=trixie DEBIAN_VERSION_FULL=13.3 ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" grep -i "dns forwarder" /usr/local/samba/etc/smb.conf dns forwarder = 127.0.0.1:5353 dig @127.0.0.1 -p 5353 hv01.fritz.box # NXDOMAIN from Unbound ; <<>> DiG 9.20.18-1~deb13u1-Debian <<>> @127.0.0.1 -p 5353 hv01.fritz.box ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50602 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;hv01.fritz.box. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) (UDP) ;; WHEN: Sat Mar 14 20:33:01 CET 2026 ;; MSG SIZE rcvd: 43 dig @127.0.0.1 -p 53 hv01.fritz.box # NODATA from Samba ; <<>> DiG 9.20.18-1~deb13u1-Debian <<>> @127.0.0.1 -p 53 hv01.fritz.box ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18117 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;hv01.fritz.box. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sat Mar 14 20:33:01 CET 2026 ;; MSG SIZE rcvd: 43 root@dc03:/home/dietpi#
Woops, just seen this has already been reported https://bugzilla.samba.org/show_bug.cgi?id=12464
ask_forwarder_recv() in source4/dns_server/dns_query.c (lines 320-345) copies the answer etc. from the forwarder response, but ignores the rcode in in_packet->operation, always returning WERR_OK regardless of whether the forwarder returned NXDOMAIN, SERVFAIL, REFUSED, etc. Before returning from ask_forwarder_recv() the code should check the rcode, ala uint16_t rcode = in_packet->operation & DNS_RCODE; if (rcode == DNS_RCODE_NXDOMAIN) { return DNS_ERR(NAME_ERROR); } SERVFAIL, REFUSED, FORMERR, and NOTIMP should probably also be handled. Also dns_server_process_query_got_response() retries on any error, so even a correct NXDOMAIN from a forwarder would cause fallback to the next forwarder rather than being returned to the client immediately. NXDOMAIN should not trigger a retry, since the same response is expectd.
*** This bug has been marked as a duplicate of bug 12464 ***