Univention Bugzilla – Bug 50107
UCS as DNS server does not consistently resolve to the correct IP when on multiple networks/VLANs
Last modified: 2019-09-05 13:29:53 CEST
Created attachment 10172 [details] Configuration screenshots Summary: When a UCS DNS server is on multiple networks/VLANs, a workstation that queries the UCS server's FQDN will not be consistently resolved to the correct IP address respective to its VLAN. Scenario and Environment: 1 - I have a UCS 4.4 server acting as an AD domain controller and DNS server for our networks. It is to be known on all of our networks by the FQDN of uni1.bz.bangzoomstudios.net. 2 - The UCS server configured on one physical network plus four VLANs, as follows: - 10.1.1.10 /16 [physical network] - 10.2.1.10 /16 [VLAN02] - 10.5.1.10 /16 [VLAN05] - 10.10.1.10 /16 [VLAN10] - 10.0.1.10 /16 [VLAN1000] [See "NetworkSettings.png] 3 - I have added DNS Reverse Lookup records accordingly, which point those respective IP addresses to uni1.bz.bangzoomstudios.net. Problem: Any workstation on any VLAN should be able to "ping uni1.bz.bangzoomstudios.net" and be resolved to the appropriate IP address (e.g. 10.2.1.10 for VLAN02, 10.5.1.10 for VLAN05, etc). That is not happening. Instead, a run of "ping uni1.bz.bangzoomstudios.net" from a workstation will resolve randomly to any one of the UCS server's five IP addresses, regardless of VLAN. In other words (and for example), a workstation on VLAN02 that runs "ping uni1.bz.bangzoomstudios.net" will only have a one-in-five chance of being correctly directed to 10.2.1.10, and a four-in-five chance of being incorrectly directed to one of the other IP addresses (10.1.1.10, 10.5.1.10, etc) instead, which naturally would be unreachable to that workstation. Screenshots attached.
Basically BIND cannot know, which IP addresses are routeable for your clients and which are not. With IPv6 you already absolutely must iterate over all returned IPv6 addresses until you find the one working for you; see <man:getaddrinfo(3)>. For IPv4 client programs should do the same. You could also use "sortlist" in "/etc/resolv.conf" on your clients, but UCS does not have an UCR variable for that yet. So either modify the template or risk your changes being overwritten each time the file is re-generated. With BIND you can also give <https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_08.htm> a try, for which you again must manually modify the files "/etc/bind/named.conf{,.proxy,.samba4}" (depending on your chosen backend) and/or its template files, as (again) there is not generic way to add additional "options". Or you can manually create "views" <https://kb.isc.org/docs/aa-00851> for multiple clients, but that is not supported with UCS, too.