Menu
▾
▴
#4144 Configure dns to respond to other networks in the networks table
I'm running dns on my SoftLayer xcat mn, and it is configured to forward requests it doesn't know to the SL dns. all the bare metal nodes i'm deploying point to the xcat mn dns and everything resolves fine, except: nodes that are on a different private vlan than the xcat mn can't resolve external names (e.g. google.com). But they can resolve names the xcat mn dsn can answer directly (e.g. for nodes in the cluster). There is a route defined for the node to get to the xcat mn's private vlan. For the nodes that are on the same vlan as the xcat mn, they can resolve both cluster and external names perfectly.
Both the nodes in the mn's private vlan and the nodes in the other private vlan are configured the same (minimal /etc/hosts, and the mn's ip address in /etc/resolv.conf).
When i run "nslookup googlec.om" on the node in the other private vlan, i see this in syslog on the mn:
May 27 13:37:48 xcat-pd-sj named[1027]: client 10.90.92.194#42644: query (cache) 'google.com/A/IN' denied
The reason is that in the named.conf file, the default for allow-query-cache is localnets, which i guess is networks the dns server is directly connected to. The default for allow-query is any network, but apparently the requests that need to be forwarded are affected by allow-query-cache, because it has to cache the answer after it gets it. When i add the line below in blue to /etc/named.conf, then the problem i described in my note below goes away.
Can you enhance makedns to add all of the networks in the networks table into the allow-query-cache statement?
options {
directory "/var/named/";
allow-query-cache { 10.54.51.0/26; 10.90.92.192/26; };
//listen-on-v6 { any; };
forwarders {
10.0.80.11;
10.0.80.12;
};
};
I originally thought that setting it to "any" instead of listing the subnets would be a bad idea, based on what i read in http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache, but after reading it more carefully, the thing they were saying was a bad idea was to have allow-query-cache and allow-recursion set differently. They recommended only setting allow-recursion and letting allow-query-cache always default to the same value. So i tried that, and it worked. So instead of setting allow-query-cache like i suggested above, you should just set allow-recursion in the options statement:
allow-recursion { any; };
Done the fix.
2.8.5: 92aedad
2.9: d26a616
Thx!
I tested this in 2.8.5 and it works. Thx!
Hi Bruce/Guang,
This commit can cause problems, as it did for us in a new installation at a customer site. As the xCAT MN was accessible to the outside world, there were some wild people trying to recurse DNS from our xCAT server, and therefore giving "Distributed Reflected Dos attack on UDP/53".
Would we be able to look into resolving the original problem, as well as not opening it up for these kind of attacks?
regards,
Arif
Hi Arif,
xCAT has supported the site.dnsinterfaces ( The network interfaces DNS server should listen on). In your case, if you don't want to accept the external dns request from external network, you can just exclude external interface from the listen list.
Or do you still want to accept externel dns request, but the recursive operation is forbidden?
Guang Cheng,
Ok, so maybe you need to go back to my original suggested solution, which is allow only the networks in the networks table, not "any".
Xiao Peng, could you take care of this bug? Thanks.
Hi Arif,
xCAT has supported the site.dnsinterfaces ( The network interfaces DNS server should listen on). In your case, if you don't want to accept the external dns request from external network, you can just exclude external interface from the listen list.
Or do you still want to accept externel dns request, but the recursive operation is forbidden?
ah, ok, that works.
I am happy with that
Didn't realise the option
Thanks. I'll close this bug.