3523 - Troubleshooting DNS views in NIOS
Scenario
A new DNS view Internal has been added to the Grid, with a zone named techred.net. The expected behavior is that all internal clients from the 10.100.x.x address space will now be able to resolve these 2 names:
www.techred.net → 10.10.10.55
ldap.techred.net → 10.10.10.66
However, when users attempt to look up these two names, they are seeing these results:
$ dig @10.100.0.105 www.techred.net.
; <<>> DiG 9.11.12 <<>> @10.100.0.105 www.techred.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32318
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
www.techred.net. 2371 IN CNAME techred.net.
techred.net. 3596 IN A 186.202.151.17
;; Query time: 13 msec
;; SERVER: 10.100.0.105#53(10.100.0.105)
;; WHEN: Thu Aug 19 20:10:55 UTC 2021
;; MSG SIZE rcvd: 102
$ dig @10.100.0.105 ldap.techred.net. A
; <<>> DiG 9.11.12 <<>> @10.100.0.105 ldap.techred.net. A
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9066
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; AUTHORITY SECTION:
techred.net. 3600 IN SOA ns1.locaweb.com.br. postmaster.locaweb.com.br. 2013110701 3600 600 1209600 3600
;; Query time: 136 msec
;; SERVER: 10.100.0.105#53(10.100.0.105)
;; WHEN: Thu Aug 19 20:12:10 UTC 2021
;; MSG SIZE rcvd: 138Please identify the root cause and provide a fix so names are resolved as expected.
Estimate Completion Time
15 to 20 minutes
Credentials
Description | Username | Password | URL or IP |
|---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
Administrative access to the Grid
Course References
3006: Configuring NAT'ed Glue Records in NIOS
3011: DNS Troubleshooting Methodology
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Launch Lab
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Troubleshooting DNS views
Use lookup tools and logs to identify why clients are being served answers from the incorrect DNS view. Correct the view configuration and verify proper name resolution
Solutions
Task 1 Solution: Troubleshooting DNS views
Study the 2 dig outputs carefully, specifically, looking at the header flags, you should notice the absence of the AA flag, and the presence of the RA flag:
$ dig @10.100.0.105 www.techred.net.
; <<>> DiG 9.11.12 <<>> @10.100.0.105 www.techred.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32318
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
www.techred.net. 2371 IN CNAME techred.net.
techred.net. 3596 IN A 186.202.151.17
;; Query time: 13 msec
;; SERVER: 10.100.0.105#53(10.100.0.105)
;; WHEN: Thu Aug 19 20:10:55 UTC 2021
;; MSG SIZE rcvd: 102
$ dig @10.100.0.105 ldap.techred.net. A
; <<>> DiG 9.11.12 <<>> @10.100.0.105 ldap.techred.net. A
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9066
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; AUTHORITY SECTION:
techred.net. 3600 IN SOA ns1.locaweb.com.br. postmaster.locaweb.com.br. 2013110701 3600 600 1209600 3600
;; Query time: 136 msec
;; SERVER: 10.100.0.105#53(10.100.0.105)
;; WHEN: Thu Aug 19 20:12:10 UTC 2021
;; MSG SIZE rcvd: 138This indicates that these answers are non-authoritative, the Infoblox member ibns1 (10.100.0.105) had to query another name server to get these answers. This is not how query is supposed to flow, as we have a zone named techred.net configured in the view Internal, so this indicates our queries are not captured by the view, which mostly likely means the view ordering or match-client statements are misconfigured.
Navigate to Data Management → DNS → Members, edit member ibns1, toggle the Advanced Mode → DNS Views, scroll down to the section Order of DNS Views, and you will see that the view default is placed at the top, and the view Internal is placed at the bottom (shown below).
Change the ordering such that the Internal view is above the default view.
Repeat the above configuration steps on the member ibns2.techbelue.net to re-order its DNS views.
Re-run the dig queries, they should show different results now, check for the AA flag in each of the answers, indicating these are authoritative responses, that Infoblox members did not query any other name servers for the answer.