3531 - Troubleshooting DNS REFUSED and delegation in NIOS
Scenario
You are the DNS administrator of a small coffee company. Your company has recently started a new division for Hawaii's Kona Coffee. Before going public, your company is staging servers internally for the time being. The recursive resolver for the company is ADA (10.100.0.100). Your main DNS server NS1 (10.100.0.111) is authoritative for the internal zone coffee.corp. A delegation has been setup, to delegate the zone kona.coffee.corp to NS2 (10.100.0.222) located at the Hawaii branch office. An entry has already been added to NS2 for the new server, sweet.kona.coffee.corp. However, users are complaining that they are unable to resolve this name. Please analyze the information provided and find the root cause or root causes.
For your reference, this is the diagram drawn by the technical team in the Hawaii branch office:
Estimate Completion Time
30 to 45 minutes
Credentials
Description | Username | Password | URL or IP |
|---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
None
Course References
3011 - DNS Troubleshooting Methodology
Tasks
Task 1: Troubleshoot REFUSED error message
User reports that he is unable to resolve a domain name, with a screenshot attached. Please investigate the root cause. (Hint: look at the spelling carefully)
Task 2: Troubleshoot unexpected result
User is still unable to resolve sweet.kona.coffee.corp, and provided a new screenshot. Please investigate the root cause.
Solutions
Task 1 Solution: Troubleshoot REFUSED error message
Root Cause
Misspelled domain name sweet.kona.coffee.crop., should be corp not crop.
Detailed Analysis
The REFUSED response code usually is an indication that server has some access control list (ACL) or other mechanism that denies the query. The clue can be seen in the screenshot submitted by the user, there is a line below the header section that reads:
WARNING: recursion requested but not available
To test this, you may execute other queries against NS1 (10.100.0.111) to see if it accepts any other domain names, such as www.example.com. The root cause, however, is because the name was misspelled. The name server NS1 (10.100.0.111) is not authoritative for the coffee.crop domain name, and must resolve it using recursion. Since recursion is not enabled, we receive the REFUSED response code.
Task 2 Solution: Troubleshoot unexpected result
Root Cause
Client should not be using authoritative server to resolve delegated domain name. Point to 10.100.0.100 instead.
Detailed Analysis
The response is known as a REFERRAL in DNS, although it is not its own type of return code. This is normal behavior from authoritative name server, in response to a query that asks for a name that has been delegated. The authoritative name server NS1 (10.100.0.111) sends back the response that contains the NS record and the glue record, informing the client to query NS2 (10.100.0.222).
At this point the client (desktop) is expected to perform a follow-up iterative query to NS2 (10.100.0.222), to "chase down the answer". The proper solution is to introduce a recursive name server for the client to use, to perform all of the iterative queries to chase down the answer on behalf of the client.
In summary, this is expected behavior when a stub resolver (client) queries the authoritative severs directly. The fix is an architectural change: the client or stub resolver should stop querying authoritative servers directly; client needs to query a intermediary server that has recursion enabled, aka a recursive resolver. In our scenario, the recursive resolver is 10.100.0.100.
On the desktop, execute the same query, point it to ADA (10.100.0.100) instead of NS1 (10.100.0.111):
dig @10.100.0.100 sweet.kona.coffee.corp. A
This should resolve correctly. For reference, this is the updated network diagram:
