0

i have a server with dns setting pointing to a DNS linux (.157), i need to join this server to AD domain hosted by Microsoft AD. i need to forward SRV queries for ldap, from DNS linux to another DNS (Microsoft DNS, .149). the AD domain is corp.dom; Having this configuration on my DNS linux:

  options {
    #listen-on port 53 { 172.23.133.157; 127.0.0.1; };
    listen-on-v6 port 53 { none; };
    allow-query { any; };
    allow-recursion { any; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";

    version "REFUSED";
};

zone "corp.dom" {
      type forward;
      forward only;
      forwarders {172.23.133.149; };  //this is the Microsoft DNS where corp.dom resides
 };

i captured this output:

 [root@predns named]# dig srv _ldap._tcp.dc._msdcs.corp.dom

 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> srv _ldap._tcp.dc._msdcs.corp.dom
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17251
 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
 ;; WARNING: recursion requested but not available

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;_ldap._tcp.dc._msdcs.corp.dom. IN      SRV

 ;; AUTHORITY SECTION:
 .                       518400  IN      NS      m.root-servers.net.
 .                       518400  IN      NS      e.root-servers.net.
 .                       518400  IN      NS      a.root-servers.net.
 .                       518400  IN      NS      f.root-servers.net.
 .                       518400  IN      NS      k.root-servers.net.
 .                       518400  IN      NS      g.root-servers.net.
 .                       518400  IN      NS      b.root-servers.net.
 .                       518400  IN      NS      c.root-servers.net.
 .                       518400  IN      NS      i.root-servers.net.
 .                       518400  IN      NS      d.root-servers.net.
 .                       518400  IN      NS      l.root-servers.net.
 .                       518400  IN      NS      h.root-servers.net.
 .                       518400  IN      NS      j.root-servers.net.

 ;; Query time: 0 msec
 ;; SERVER: 172.23.133.157#53(172.23.133.157)
 ;; WHEN: mar giu 19 16:55:52 CEST 2018
 ;; MSG SIZE  rcvd: 269

any help would be great!

full configuration of DNS linux: I omitted type master zones because they work and they are not related to corp.dom:

acl "ihd" { 127.0.0.1/32; 172.23.133.128/28; 172.23.133.144/28; };
include "/etc/rndc.key";
controls {
     inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
    #listen-on port 53 { 172.23.133.157; 127.0.0.1; };
    listen-on-v6 port 53 { none; };
    forwarders { 172.23.133.149; };
    allow-query { any; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    empty-zones-enable no;
    version "REFUSED";
};

view "internal" {
 match-clients { ihd; };
 allow-query { ihd; };
 # allow-recursion { ihd; };
 recursion no;


 zone "." IN {
      type hint;
      file "named.ca";
 };

 include "/etc/named.root.key";
 include "/etc/named.rfc1912.zones";

 zone "133.23.172.in-addr.arpa" IN {
      type master;
      file "172.23.133.zone";
      allow-transfer { 172.23.133.157; };
 };
 zone "corp.dom" {
      type forward;
      forward only;
      forwarders {172.23.133.149; };
      /*file "corp.dom.zone";
      allow-transfer { 172.23.133.157; };*/
 };

 view "external" {
 match-clients { any; };
 allow-query { any; };
 recursion no;

 zone "." IN {
    type hint;
    file "named.ca";
 };

 include "/etc/named.rfc1912.zones";


 };
Sven
  • 98,649
  • 14
  • 180
  • 226
Marco_81
  • 3
  • 5

2 Answers2

2

You have set recursion no; for the queries which match internal "ihd" acl.
All DNS forward queries are recursive queries, you need to set it to recursion yes; at least for "internal" view.

DNSSEC can also break communication for recursive queries. To make sure if DNSSEC isn't causing issue run dig with +cd and +dnssec options

dig srv _ldap._tcp.dc._msdcs.corp.dom @linux_dns_server_ip +cd
dig srv _ldap._tcp.dc._msdcs.corp.dom @linux_dns_server_ip +dnssec

If you get answer with +cd option and not with +dnssec, then you need to disable DNSSEC validation dnssec-validation no;

Tejas Sarade
  • 211
  • 1
  • 5
0

Configuration is OK, but is your Bind DNS server(Linux) able to communicate with Microsoft AD DNS server? You can test it by running dig command on Linux DNS server.

dig srv _ldap._tcp.dc._msdcs.corp.dom @ip_of_AD_DNS

If output is correct, then only check for configuration on Linux DNS server.

Tejas Sarade
  • 211
  • 1
  • 5
  • it works, so DNS Microsoft works...i'm going to post the full configuration of my DNS LINUX for further help – Marco_81 Jun 19 '18 at 15:25