Temporarily no name resolution using second/virtual ip address

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Temporarily no name resolution using second/virtual ip address

Bind-Users forum mailing list
Hi everybody,


for the name resolution in my network I use bind-9.16.6 based on openSuse Leap 15.2. On that server I have two IP addresses configured. The one for the server itself - e.g. 192.168.3.150 - and a second one for the DNS - e.g. 192.168.3.200.

If I send DNS-Queries to the IP 192.168.3.150, all queries will be answered. Sending queries to the IP 192.168.3.200, some of them become answered, but most of them not. The DNS-Client like nslookup or dig runs into timeouts.

I have increased my debug level and what I see is the following:

17-Mar-2021 22:44:06.079 client: debug 3: client @0x7f063000b180 127.0.0.1#55255: UDP request 17-Mar-2021 22:44:06.079 client: debug 5: client @0x7f063000b180 127.0.0.1#55255: using view '_default' 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255: request is not signed 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255: recursion available 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255 (my.host.domain.de): query 'my.host.domain.de/A/IN' approved 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f0630007440 127.0.0.1#35797 (my.host.domain.de): reset client 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255 (my.host.domain.de): reset client 


My bind-config and examples are attached below.

/etc/named.conf

options { directory "/var/lib/named"; managed-keys-directory "/var/lib/named/dyn/"; dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; forwarders { xxx.xxx.xxx.xxx; }; listen-on port 53 { 127.0.0.1; 192.168.3.150; 192.168.3.200; }; listen-on-v6 { none; }; query-source address 192.168.3.200 port *; transfer-source 192.168.3.200 port 53; allow-query { 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; }; notify no; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; allow-transfer { localhost; 192.168.0.170; }; recursion yes; }; logging { channel default_file { file "/var/log/named.log" size 10m; severity dynamic; print-time yes; print-severity yes; print-category yes; }; category default{ default_file; }; }; zone "." in { type hint; file "root.hint"; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; include "/etc/bind/zones.conf"; 


It makes no difference from which subnet the queries come from. For testing I used a server in the same subnet like my DNS is, so there is no firewall or NAT in between.
I also captured the network traffic of the DNS-Server and -Client. All I can see is, that the server receives the query from the client, but no response is sent from the server.
When I run dig with the +tcp option, all of the queries will be answered.


Any idea why named resets the client?

Thanks and regard,
Jonathan




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Temporarily no name resolution using second/virtual ip address

Tony Finch
Jonathan via bind-users <[hidden email]> wrote:

> It makes no difference from which subnet the queries come from. For
> testing I used a server in the same subnet like my DNS is, so there is
> no firewall or NAT in between. I also captured the network traffic of
> the DNS-Server and -Client. All I can see is, that the server receives
> the query from the client, but no response is sent from the server. When
> I run dig with the +tcp option, all of the queries will be answered.

Do you have a firewall configured on the server itself? If so does it have
the correct idea about which ports and addresses BIND is listening on?

The other possibility is reverse path filtering - Linux tries to ensure
that packets don't traverse an interface with unexpected addresses. I had
to turn it off on my recursive servers because they have interfaces on two
different VLANs. Dunno if it could cause problems with just one subnet in
play.

set sysctl net.ipv4.conf.XXX.rp_filter=2 where XXX is all, default, and
whatever your ethernet interface is named.

Tony.
--
f.anthony.n.finch  <[hidden email]>  https://dotat.at/
North Utsire, South Utsire: Southwesterly 5, backing southerly 6 or 7,
occasionally gale 8 in North Utsire. Moderate or rough. Showers. Moderate
or good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users