First Last Prev Next    This bug is not in your last search results.
Bug 50107 - UCS as DNS server does not consistently resolve to the correct IP when on multiple networks/VLANs
UCS as DNS server does not consistently resolve to the correct IP when on mul...
Status: NEW
Product: UCS
Classification: Unclassified
Component: DNS
UCS 4.4
amd64 Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-05 10:57 CEST by Troy Williams
Modified: 2019-09-05 13:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Configuration screenshots (926.06 KB, application/zip)
2019-09-05 10:57 CEST, Troy Williams 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Troy Williams 2019-09-05 10:57:43 CEST 
Created attachment 10172 [details]
Configuration screenshots

Summary:

When a UCS DNS server is on multiple networks/VLANs, a workstation that queries the UCS server's FQDN will not be consistently resolved to the correct IP address respective to its VLAN.


Scenario and Environment:

1 - I have a UCS 4.4 server acting as an AD domain controller and DNS server for our networks. It is to be known on all of our networks by the FQDN of uni1.bz.bangzoomstudios.net.

2 - The UCS server configured on one physical network plus four VLANs, as follows:
- 10.1.1.10 /16 [physical network]
- 10.2.1.10 /16 [VLAN02]
- 10.5.1.10 /16 [VLAN05]
- 10.10.1.10 /16 [VLAN10]
- 10.0.1.10 /16 [VLAN1000]
[See "NetworkSettings.png]

3 - I have added DNS Reverse Lookup records accordingly, which point those respective IP addresses to uni1.bz.bangzoomstudios.net.


Problem:

Any workstation on any VLAN should be able to "ping uni1.bz.bangzoomstudios.net" and be resolved to the appropriate IP address (e.g. 10.2.1.10 for VLAN02, 10.5.1.10 for VLAN05, etc). That is not happening. 

Instead, a run of "ping uni1.bz.bangzoomstudios.net" from a workstation will resolve randomly to any one of the UCS server's five IP addresses, regardless of VLAN.

In other words (and for example), a workstation on VLAN02 that runs "ping uni1.bz.bangzoomstudios.net" will only have a one-in-five chance of being correctly directed to 10.2.1.10, and a four-in-five chance of being incorrectly directed to one of the other IP addresses (10.1.1.10, 10.5.1.10, etc) instead, which naturally would be unreachable to that workstation.


Screenshots attached.
Comment 1 Philipp Hahn univentionstaff 2019-09-05 13:29:53 CEST 
Basically BIND cannot know, which IP addresses are routeable for your clients and which are not. With IPv6 you already absolutely must iterate over all returned IPv6 addresses until you find the one working for you; see <man:getaddrinfo(3)>. For IPv4 client programs should do the same.

You could also use "sortlist" in "/etc/resolv.conf" on your clients, but UCS does not have an UCR variable for that yet. So either modify the template or risk your changes being overwritten each time the file is re-generated.

With BIND you can also give <https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_08.htm> a try, for which you again must manually modify the files "/etc/bind/named.conf{,.proxy,.samba4}" (depending on your chosen backend) and/or its template files, as (again) there is not generic way to add additional "options".

Or you can manually create "views" <https://kb.isc.org/docs/aa-00851> for multiple clients, but that is not supported with UCS, too.
First Last Prev Next    This bug is not in your last search results.