dns name in alias resolution issues

Started by fireelch, January 15, 2024, 03:35:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 15, 2024, 03:35:39 PM Last Edit: January 15, 2024, 04:05:33 PM by fireelch
I do have an dns issue.
The name is resolved fine (Interfaces: Diagnostics: DNS Lookup) A and AAAA record returned with an in CNAME ..
But the ping (Interfaces: Diagnostics: Ping) returns cannot resolve artifactory.<removed>.com: No address associated with name

As result the hosts alias is not resolved correctly and the firewall blocks the traffic.

BTW. This is only valid for a few addresses not all.

In the firewall:
x.mycomp.com ... is ok
y.mycomp.com ... is not ok

The host behind the firewall can resolve BOTH addresses and starts pinging. Both FW and Host using the same dns
January 15, 2024, 05:02:01 PM #1
A few more tests results from commandline

root@OPNsense:/usr/bin # drill heise.de
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26134
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;; heise.de.    IN      A

;; ANSWER SECTION:
heise.de.       86400   IN      A       193.99.144.80

;; AUTHORITY SECTION:
.       90643   IN      NS      h.root-servers.net.
.       90643   IN      NS      m.root-servers.net.
.       90643   IN      NS      l.root-servers.net.
.       90643   IN      NS      b.root-servers.net.
.       90643   IN      NS      d.root-servers.net.
.       90643   IN      NS      a.root-servers.net.
.       90643   IN      NS      g.root-servers.net.
.       90643   IN      NS      f.root-servers.net.
.       90643   IN      NS      i.root-servers.net.
.       90643   IN      NS      e.root-servers.net.
.       90643   IN      NS      k.root-servers.net.
.       90643   IN      NS      j.root-servers.net.
.       90643   IN      NS      c.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     324886  IN      A       202.12.27.33
h.root-servers.net.     76865   IN      A       198.97.190.53
a.root-servers.net.     263107  IN      A       198.41.0.4
c.root-servers.net.     138868  IN      A       192.33.4.12
e.root-servers.net.     260655  IN      A       192.203.230.10
i.root-servers.net.     264776  IN      A       192.36.148.17
k.root-servers.net.     324975  IN      A       193.0.14.129
j.root-servers.net.     325372  IN      A       192.58.128.30
f.root-servers.net.     325953  IN      A       192.5.5.241
l.root-servers.net.     325451  IN      A       199.7.83.42
g.root-servers.net.     260656  IN      A       192.112.36.4
d.root-servers.net.     326171  IN      A       199.7.91.13
b.root-servers.net.     326860  IN      A       170.247.170.2
m.root-servers.net.     264777  IN      AAAA    2001:dc3::35

;; Query time: 260 msec
;; SERVER: 10.255.1.50
;; WHEN: Mon Jan 15 16:56:08 2024
;; MSG SIZE  rcvd: 489
root@OPNsense:/usr/bin # drill artifactory.my-comp.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7072
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; artifactory.my-comp.com.      IN      A

;; ANSWER SECTION:
artifactory.my-comp.com. 1471    IN      CNAME   artifactory.global.my-comp.com.
artifactory.global.my-comp.com.  3643    IN      A       172.22.51.78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.160.5.6
;; WHEN: Mon Jan 15 16:56:17 2024
;; MSG SIZE  rcvd: 89
root@OPNsense:/usr/bin # drill artifactory-berlin1.my-comp.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 15703
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;; artifactory-berlin1.my-comp.com.      IN      A

;; ANSWER SECTION:
artifactory-berlin1.my-comp.com. 1781    IN      A       172.20.48.164

;; AUTHORITY SECTION:
.       90621   IN      NS      e.root-servers.net.
.       90621   IN      NS      h.root-servers.net.
.       90621   IN      NS      a.root-servers.net.
.       90621   IN      NS      d.root-servers.net.
.       90621   IN      NS      c.root-servers.net.
.       90621   IN      NS      k.root-servers.net.
.       90621   IN      NS      l.root-servers.net.
.       90621   IN      NS      b.root-servers.net.
.       90621   IN      NS      j.root-servers.net.
.       90621   IN      NS      i.root-servers.net.
.       90621   IN      NS      g.root-servers.net.
.       90621   IN      NS      m.root-servers.net.
.       90621   IN      NS      f.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     324864  IN      A       202.12.27.33
h.root-servers.net.     76843   IN      A       198.97.190.53
a.root-servers.net.     263085  IN      A       198.41.0.4
c.root-servers.net.     138846  IN      A       192.33.4.12
e.root-servers.net.     260633  IN      A       192.203.230.10
i.root-servers.net.     264754  IN      A       192.36.148.17
k.root-servers.net.     324953  IN      A       193.0.14.129
j.root-servers.net.     325350  IN      A       192.58.128.30
f.root-servers.net.     325931  IN      A       192.5.5.241
l.root-servers.net.     325429  IN      A       199.7.83.42
g.root-servers.net.     260634  IN      A       192.112.36.4
d.root-servers.net.     326149  IN      A       199.7.91.13
b.root-servers.net.     326838  IN      A       170.247.170.2
m.root-servers.net.     264755  IN      AAAA    2001:dc3::35

;; Query time: 134 msec
;; SERVER: 10.255.1.50
;; WHEN: Mon Jan 15 16:56:31 2024
;; MSG SIZE  rcvd: 511
root@OPNsense:/usr/bin # ping artifactory-berlin1.my-comp.com
ping: Unknown host
root@OPNsense:/usr/bin # ping heise.de
PING heise.de (193.99.144.80): 56 data bytes
64 bytes from 193.99.144.80: icmp_seq=0 ttl=243 time=13.168 ms
^C
--- heise.de ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.168/13.168/13.168/0.000 ms
root@OPNsense:/usr/bin # ping artifactory.my-comp.com
ping: Unknown host
root@OPNsense:/usr/bin #
January 16, 2024, 03:40:43 PM #2
No Idea at all ?
January 19, 2024, 12:35:50 PM #3
Any known issue tracker for this ?
January 22, 2024, 12:54:49 PM #4
I found the github issue list and added
https://github.com/opnsense/core/issues/7157
for this
January 22, 2024, 01:15:22 PM #5 Last Edit: January 22, 2024, 01:20:48 PM by Senten
Hi there,

I think I have the same issue and posted in the german sub forum about it (unfortunately no anwers yet):

Translated from original post:
QuoteHello dear community,

I recently set up a logging server and through this i stumbled upon the following problem:

The pf firewall does not resolve FQDN firewall aliases once every ~6 Minutes. Milliseconds later the same name is resolved correctly:

Code Select
2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds

The above logs are filtered for the same Alias (even though others are affected too). The FQDN can be resolved using dig or nslookup just fine without any errors or timeouts or whatsoever.

My system is running OPNsense 23.7.12, the error existed already with 23.7.10 and likely even before that.

The dns server used is the local unbound service.

At System>Settings>General the following settings are *not* checked:
Code Select
DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system

In my case I am talking about A/AAAA records and not necessarily CNAMEs.

Is this the same issue as yours? If not so, please tell me so I can open a new thread in the English forum :-)

Regards,
Senten
January 25, 2024, 12:11:48 PM #6
Seems to be a different issue  :(
January 25, 2024, 02:54:29 PM #7
I'm a bit unclear as to what the problem is.  You're using a domain alias in a firewall rule and that's not working correctly?

Can you post screenshots of your alias, the DNS and ping diagnostic pages, and your DNS settings?
Print
Go Up Pages1
User actions