Author Topic: DNS - Internal names stops resolving  (Read 2074 times)

plarsson

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
DNS - Internal names stops resolving
« on: January 30, 2020, 12:33:02 pm »
I'm using zentyal as my DHCP and DNS server.
from time to time the DNS stops resolving addresses on my internal domain for a while.
So far I have not been able to figure out if there is an event that makes the domain start again, usually I just go to the zentyal webpage by IP and log in and at some point it seems to start working again.

I'm not sure where to start troubleshooting. Any ideas?

plarsson

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #1 on: January 31, 2020, 02:48:30 am »
Ran:
sudo systemctl status samba-ad-dc.service

and noticed:
Jan 30 20:23:32 dc-002 samba[29638]: [2020/01/30 20:23:32.292633,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:23:32 dc-002 samba[29638]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:28:32 dc-002 samba[29638]: [2020/01/30 20:28:32.415317,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:28:32 dc-002 samba[29638]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:33:32 dc-002 samba[29638]: [2020/01/30 20:33:32.474230,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:33:32 dc-002 samba[29638]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:38:32 dc-002 samba[29638]: [2020/01/30 20:38:32.520138,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:38:32 dc-002 samba[29638]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:43:32 dc-002 samba[29638]: [2020/01/30 20:43:32.626901,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:43:32 dc-002 samba[29638]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb

Not sure if it's related or not?

azharoth71

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #2 on: February 01, 2020, 01:55:06 pm »
Me too :'(

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #3 on: February 03, 2020, 12:48:07 am »
I'm using zentyal as my DHCP and DNS server.
from time to time the DNS stops resolving addresses on my internal domain for a while.
So far I have not been able to figure out if there is an event that makes the domain start again, usually I just go to the zentyal webpage by IP and log in and at some point it seems to start working again.

I'm not sure where to start troubleshooting. Any ideas?

 :)

The '/var/log/zentyal/zentyal.log' file uses to be a good site to begin the debugging process.

Search into 'zentyal.log' for errors and paste them here

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

tunsa

  • Zen Samurai
  • ****
  • Posts: 350
  • Karma: +15/-1
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #4 on: February 09, 2020, 08:18:50 am »
i have this problem too  :-\

plarsson

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #5 on: February 09, 2020, 02:12:09 pm »

I got into this state just now.
The log doesn't contain anything since yesterday morning (And at that time just information that I logged in to the web interface)
I was in this state at around 7:45am not sure when it started; and got out of it around 7:53(ish)- maybe a minute or so before that (Writing it here to help me if I need to look in log files later)

In samba service I still have:
Feb 09 07:37:09 dc-002 samba[2510]: [2020/02/09 07:37:09.630973,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:37:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:42:09 dc-002 samba[2510]: [2020/02/09 07:42:09.723072,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:42:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:47:09 dc-002 samba[2510]: [2020/02/09 07:47:09.774040,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:47:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:52:09 dc-002 samba[2510]: [2020/02/09 07:52:09.949345,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:52:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:57:10 dc-002 samba[2510]: [2020/02/09 07:57:10.002038,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:57:10 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb

I also looked for other log files; didn't see anything of interest, but I'm not sure where to look (I think that Samba-AD-DC is what is handling the DNS? so that is why I looked at samba service) - the samba log file was really big; couldn't tell if it was errors or not- if it would be of help I can paste part of it

Thanks

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #6 on: February 12, 2020, 10:54:23 pm »
 :)

I can't reproduce this behavior.

Could you give us some details about your system? There's some other domain controller? Do you have some other zone configured in your DNS server? If it's the case, it crashes too?  Do you configure some other network external to Zentyal to use the Zentyal DNS server?   Did you check the DNS server via the command line?  See here: https://forum.zentyal.org/index.php/topic,34866.msg113324.html#msg113324

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

plarsson

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #7 on: March 04, 2020, 02:31:26 am »
Sorry for the late reply

Since I initially had this problem, I decided to re-install Zentyal on a new VM (I'm running it in Proxmox). After reinstall I still have the same issue.
I tried some of the commands on the link, but they gave me bad user/password:

Code: [Select]

samba-tool dns serverinfo localhost -U admindc%admindc
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (-1073741715, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 44, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

I'm not sure if I should replace username in the command with something different, so  I tried my own username and with root and got the same result still

There is only one domain controller on the network, the network is divided into multiple subnets. The original Zentyal server had 3 network cards (one for each server). The current install I have not gotten around to configure all 3 nics, only the one I'm using and the other nics are in zentyal, but not any ip assigned to them

In this setup Zentyal is DHCP and DNS server, it's not the gateway for the system
« Last Edit: March 05, 2020, 02:11:02 am by plarsson »

plarsson

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #8 on: March 12, 2020, 01:25:28 am »
I realized that my DHCP (on zentyal) was configured to use zentyal as primary DNS and 8.8.8.8 as secondary.
After removing 8.8.8.8 as secondary, things got worse.
Now it's not just internal sites that are not resolving, all sites stops resolving, after a few minutes it works again... and then stops again

fjldurodie

  • Zen Apprentice
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #9 on: March 15, 2020, 10:48:00 am »
I'm having the same issue for some time now ... (not sure when it started). I've going over and over these settings but cannot find waht is wrong (it used to work at some point).

My config is a follows (my apologies if it is a bit too long):

Zentyal 5.0 Development Edition
System
    General - Hostname and Domanin
        Hostname    zentyal
        Domain      myname.mydomain.org

Network
    Interfaces
        eth0      DHCP         External (WAN)
        eth1      Static       192.168.122.1/23
        wlan0     not set      (I run on an old laptop) 
     
    DNS - Search Domain
        Domain                 myname.mydomain.org

    Objects
       fixed_addresses        (members set manually)
       LAN                    Name            192.168.122.0-123.255
                              IP address      192.168.122.0-192.168.122.123.255
                              MAC address     --
       openVPN-eth1-192.168.122.0-23          <-- readonly
       openVPN-wlan0-192.168.0.0-24           <-- readonly ? used to be the wlan0

Domain
    [ modules Domain Controller and File Sharing not enabled ]
    Settings
        Server Role              Domain Controller
        Realm                    myname.mydomain.org
        NetBIOS domain name      myname
        NetBIOS computer name    (fixed to) zentyal
        Server Description       Zentyal Server
        Enable Roaming Profiles  unchecked
        Drive letter             H:

File Sharing
    [ modules Domain Controller and File Sharing not enabled ]

    Enabled | Share  | Share | Comment | Guest     | Acces control
            | name   | path  |         | access    |
    --------+--------+-------+---------+-----------+-------------------------------------
    checked | aname1 | path1 | Comment | unchecked | Group: Domain Users - Read Only
            |        |       |         |           | User: Me            - Administrator
    --------+--------+-------+---------+-----------+-------------------------------------
    checked | aname2 | path2 | Comment | unchecked | Group: Domain Users - Read Only
            |        |       |         |           |
    --------+--------+-------+---------+-----------+-------------------------------------

DNS
    Settings   - Enable transparent DNS cache checked
    Forwarders - none set
    Domains *

    domain              | Domain IP     | Hostnames | Name Servers  | TXT records | Services | Dynamic
                        | Addresses     |           |               |             |
    --------------------+---------------+-----------+---------------+-------------+----------+---------
    myname.mydomain.org | 192.168.122.1 | manually  |Hostname       | kerberos related and   |
                        |               | set **    | [This domain] | set by Zentyal         | yes
                        |               |           | [zentyal] *** |                        |
    --------------------+---------------+-----------+---------------+-------------+----------+---------
   
    *   no Mail Exchange Servers
    **  e.g. zentyal 192.168.122.1
             other   192.168.122.132
    *** from list of manually set hostnames

DHCP
    Interfaces
        Enabled        checked
        Interface      eth1
        Configuration 
            [Tab] Common Options
                Default gateway       Zentyal
                Search domain         Zentyal domain - myname.mydomain.org
                Primary nameserver    local Zentyal DNS
                Secondary nameserver  not set
                NTP server            local Zentyal NTP
                WINS server           local Zentyal
            [Tab] Dynamic DNS Options
                Enabled           checked
                Dynamic Domain    myname.mydomain.org
                Static domain     same as Dynamic Domain

            [Tab] Advanced options
                Lease times
                    Default leased time     1800 s
                    Maximumum leased time   7200 s

            DHCP ranges (not set-able)
                Interface IP address   192.168.122.1
                Subnet                 192.168.122.0/23
                Available range        192.168.122.1 - 192.168.123.254

            Ranges
                Name    From             To   
                DHCP    192.168.122.16   192.168.122.127

            Fixed addresses
                Object                 Description
                fixed_addresses        fixed addresses Network objects

When I make a change, I save and either reboot or restart the DNS DHCP services from the Dashboard. For the client (other) I renew the dhcp lease before testing (but all to no avail).

I also have a external dynamic dns service that points to my external IP address: so from a host outside my local network:

Code: [Select]
[me@somewhere_else ~]$ dig myname.mydomain.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> myname.mydomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;myname.mydomain.org. IN A

;; ANSWER SECTION:
myname.mydomain.org. 17 IN A xxx.yyy.zzz.www [obfuscated]

;; Query time: 0 msec
;; SERVER: 172.16.150.1#53(172.16.150.1)
;; WHEN: Sat Mar 14 15:45:39 CET 2020
;; MSG SIZE  rcvd: 62
inside my local network dhcpd set /etc/resolv.conf
 
Code: [Select]
[me@other~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search myname.mydomain.org
nameserver 192.168.122.1

When asking for just the zentyal:

Code: [Select]
[me@other ~]$ dig zentyal

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> zentyal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4632
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zentyal. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020031400 1800 900 604800 86400

;; Query time: 197 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Sat Mar 14 15:38:18 CET 2020
;; MSG SIZE  rcvd: 111

or when using the FQDN for zentyal:

Code: [Select]
[me@other ~]$ dig zentyal.myname.mydomain.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> zentyal.durodie.no-ip.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zentyal.durodie.no-ip.org. IN A

;; Query time: 1 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Sat Mar 14 15:42:45 CET 2020
;; MSG SIZE  rcvd: 54


So no answer, external addresses work

Code: [Select]
[me@other ~]$ dig google.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 172.217.17.142

;; AUTHORITY SECTION:
google.com. 172525 IN NS ns4.google.com.
google.com. 172525 IN NS ns2.google.com.
google.com. 172525 IN NS ns1.google.com.
google.com. 172525 IN NS ns3.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 172502 IN A 216.239.32.10
ns1.google.com. 172502 IN AAAA 2001:4860:4802:32::a
ns2.google.com. 172502 IN A 216.239.34.10
ns2.google.com. 172502 IN AAAA 2001:4860:4802:34::a
ns3.google.com. 172502 IN A 216.239.36.10
ns3.google.com. 172502 IN AAAA 2001:4860:4802:36::a
ns4.google.com. 172502 IN A 216.239.38.10
ns4.google.com. 172502 IN AAAA 2001:4860:4802:38::a

;; Query time: 22 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Sat Mar 14 15:40:35 CET 2020
;; MSG SIZE  rcvd: 303
There is also something I else that is really mysterious:

when I am connected with openvpn to somewhere_else (see above) I got the correct answer from somewhere_else's (local) dns server 172.16.150.1. BUT when I ask for

[me@other:~]$ dig @8.8.8.8 myname.mydomain.org

I do not get an answer. However when I do exactly the same somewhere_else I get the correct answer ...

I would appreciate if someone could explain this and point me in the correct direction.

Thanks.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #10 on: March 25, 2020, 04:26:08 pm »
Sorry for the late reply

Since I initially had this problem, I decided to re-install Zentyal on a new VM (I'm running it in Proxmox). After reinstall I still have the same issue.
I tried some of the commands on the link, but they gave me bad user/password:

Code: [Select]

samba-tool dns serverinfo localhost -U admindc%admindc
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (-1073741715, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 44, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

I'm not sure if I should replace username in the command with something different, so  I tried my own username and with root and got the same result still

There is only one domain controller on the network, the network is divided into multiple subnets. The original Zentyal server had 3 network cards (one for each server). The current install I have not gotten around to configure all 3 nics, only the one I'm using and the other nics are in zentyal, but not any ip assigned to them

In this setup Zentyal is DHCP and DNS server, it's not the gateway for the system

 :)

'admindc%admindc' are my own administration account and password. You have to create an administrative account on Webadmin and use it with the commands.

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: DNS - Internal names stops resolving
« Reply #11 on: March 25, 2020, 04:41:35 pm »

I got into this state just now.
The log doesn't contain anything since yesterday morning (And at that time just information that I logged in to the web interface)
I was in this state at around 7:45am not sure when it started; and got out of it around 7:53(ish)- maybe a minute or so before that (Writing it here to help me if I need to look in log files later)

In samba service I still have:
Feb 09 07:37:09 dc-002 samba[2510]: [2020/02/09 07:37:09.630973,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:37:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:42:09 dc-002 samba[2510]: [2020/02/09 07:42:09.723072,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:42:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:47:09 dc-002 samba[2510]: [2020/02/09 07:47:09.774040,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:47:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:52:09 dc-002 samba[2510]: [2020/02/09 07:52:09.949345,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:52:09 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:57:10 dc-002 samba[2510]: [2020/02/09 07:57:10.002038,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:57:10 dc-002 samba[2510]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb

I also looked for other log files; didn't see anything of interest, but I'm not sure where to look (I think that Samba-AD-DC is what is handling the DNS? so that is why I looked at samba service) - the samba log file was really big; couldn't tell if it was errors or not- if it would be of help I can paste part of it

Thanks

 :)

Samba KDC is an application related with the replication between domain controllers. Do you have some additional domain controller?

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,