Samba Internal DNS Back End

From SambaWiki


The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when provisioning a new Samba AD DC or upgrade from a Samba NT4 domain to Samba AD.

An alternative backend is BIND_DLZ.


If you have chosen the internal DNS as backend for your environment, there are only two options that can be added to your smb.conf, to control the behaviour of DNS at this point:

# Don't allow any updates | allow unsigned updates | only allow signed updates
allow dns updates = False | nonsecure | signed

# If recursive queries = yes is set, the following is also needed
dns forwarder = <ip addr of external dns server>

Limitations / Known issues

  • The internal server is not a caching resolver.
  • The internal server by default only comes with a working forward zone; if you need a reverse zone, see instructions here.
  • The samba_dnsupdate command produces warnings when used with signed updates. We're currently investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
  • Currently, recursive queries are not possible without using a forwarder.
  • Negative replies do not come with an authority record (not required by RFC, but Windows seems to like that).
  • Shared-key TSIG is not implemented.
  • Stub zones are not implemented.
  • Zone axfr is not allowed from internal samba DNS.


Run during make test

TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns

Run against external servers (Windows or BIND)

SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns