[Pdns-users] Failures of recursor from within pod/coredns OR dig

Alessandro Dentella sandro.dentella at gmail.com
Thu Oct 21 20:45:09 UTC 2021 

Thanks again Pieter,

> The trace is not complete,

Did you notice the link to pastebin? I think that very long log is complete:

> Here is the filing dig:
> 
>   https://pastebin.com/NeUNyWfF
> 
> Log when cioredns forwards:
>   
>    https://pastebin.com/DsNH1akb1



> but you might have to either set an NTA for .lan in your config[1] or set
> dnssec=off in you recursor.conf. Do the first if you care about DNSSEC
> validation or the second if you don't care about it.

After disbling dnssec, dig works but queries from coredns do not.

[BTW: what is the proper wy to restart the recursor? I'm in docker so I restart
the docker but I guess there's a simpler way. In my docker I have rec_control,
bu no commadn seems the prot on one: reload-lua-script / reload-lua-config, reload-zones...]

After disabling dnssec logs are:

dig (working):
   recursor_1    | Oct 21 20:31:44 2 [57/1] question for 'dns1b.thux.lan|A' from 10.1.201.111:37680
   recursor_1    | Oct 21 20:31:44 [57] : no TA found for 'dns1b.thux.lan' among 1
   recursor_1    | Oct 21 20:31:44 [57] : no TA found for 'thux.lan' among 1
   recursor_1    | Oct 21 20:31:44 [57] : no TA found for 'lan' among 1
   recursor_1    | Oct 21 20:31:44 [57] : got TA for '.'
   recursor_1    | Oct 21 20:31:44 [57] QM dns1b.thux.lan.|A child=(empty): doResolve
   recursor_1    | Oct 21 20:31:44 [57] dns1b.thux.lan: Wants NO DNSSEC processing, auth data in query for A
   recursor_1    | Oct 21 20:31:44 [57] dns1b.thux.lan: Recursion not requested for 'dns1b.thux.lan|A', peeking at auth/forward zones
   recursor_1    | Oct 21 20:31:44 [57] dns1b.thux.lan: Found cache hit for A: 10.2.201.135[ttl=98] 
   recursor_1    | Oct 21 20:31:44 [57] dns1b.thux.lan: updating validation state with cache content for dns1b.thux.lan to Indeterminate
   recursor_1    | Oct 21 20:31:44 [57] QM dns1b.thux.lan.|A child=(empty): Step0 Found in cache
   recursor_1    | Oct 21 20:31:44 2 [57/1] answer to question 'dns1b.thux.lan|A': 1 answers, 1 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0


A different recursor, same conf (much longer log):

   https://pastebin.com/qkdxmBvf

from the container via coredns (failing):

   https://pastebin.com/XRXpEEHZ

In this case I don't have 'dig', I'm using nslookup or ping:

   # kubectl attach shpod -it
   If you don't see a command prompt, try pressing enter.
   shpod:~# nslookup dns1b.thux.lan
   Server:		10.152.183.10
   Address:	10.152.183.10:53

   ** server can't find dns1b.thux.lan: NXDOMAIN

   Non-authoritative answer:
   *** Can't find dns1b.thux.lan: No answer

   shpod:~# ping dns1b.thux.lan
   ping: bad address 'dns1b.thux.lan'


sandro
*:-)

More information about the Pdns-users mailing list