1

I am experimenting with two local DNS server. When I take down the second (or the primary) dns server, I can not resolve any domain name.

Using host command or nslookup I get time out error :

root@ubuntu:~# host testsrv.lan
;; connection timed out; no servers could be reached
root@ubuntu:~# nslookup testsrv.lan
;; Got recursion not available from 10.0.3.4, trying next server
;; connection timed out; no servers could be reached

But when I try dig command I get a correct answer :

root@ubuntu:~# dig testsrv.lan   
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> testsrv.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7759
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;testsrv.lan.           IN  A

;; ANSWER SECTION:
testsrv.lan.        5   IN  A   10.0.3.4

;; Query time: 2 msec
;; SERVER: 10.0.3.4#53(10.0.3.4)
;; WHEN: Thu Jun 04 17:54:28 CET 2015
;; MSG SIZE  rcvd: 56

(primary DNS server is 10.0.3.4 and I have added an A recorde : testsrv.lan --> 10.0.3.4)

I have used tcpdump to check what is happening under the hood : tcpdump -vvv -l -n -i any "udp port 53" I have noticed that the first server is responding correctly to the dns request from my host but the host is always trying to request the second server and timing out.

Isn't ubuntu (specifically resolvconf service) supposed to be "fault tolerant" when any of the two DNS servers is down ? is this the default behavior when resolving a domain name ? is it docummented any where ? can we change ?

N.B: I am using ubuntu 14.04 server and the DNS is configured using /etc/network/interface dns-nameservers 10.0.3.4 10.0.3.5

Any help is appreciated. Thank you.

Amine
  • 11
  • 2
  • 1
    `WARNING: recursion requested but not available` coming from a server in `resolv.conf` seems like a strange setup. Could you elaborate on that aspect? – Håkan Lindqvist Jun 05 '15 at 06:21
  • 1
    @HåkanLindqvist Strange wasn't the word I would use to describe it. For security reasons it makes sense for distributions to leave recursive resolution disabled in the default configuration. Trying to use a newly installed DNS server as a recursive resolver without first enabling recursion is a mistake any admin could have made, nothing strange about that. But of course it isn't going to work. The fix is to read the manual on how to enable recursion and specify the IP range of clients permitted to use this DNS server as recursive resolver. – kasperd Jun 05 '15 at 06:32
  • Have you confirmed that your DNS configuration is first set from NetworkManager? Also check you have inserted both nameservers in /etc/resolv.conf. – Juan Pablo Orradre Jun 05 '15 at 01:39
  • @JuanPabloOrradre : in ubuntu 14.04 it is not recommended to edit resolv.conf directly please check this [link](http://thesimplesynthesis.com/post/how-to-set-a-static-ip-and-dns-in-ubuntu-14-04) for more informations – Amine Jun 05 '15 at 16:18
  • @kasperd: Thank you for those clarification. In fact, I am not trying to build a full recursive DNS server, I am only trying to make an authoritative DNS server with some records. Is this the reason for this strange behavior ? – Amine Jun 05 '15 at 16:23

1 Answers1

0

A DNS server can be configured to operate in one of two different ways. Either it operates as an authoritative DNS server for one or more zones, or it is a caching recursive resolver. (This answer has more details about the difference.)

It is possible to configure one DNS server to do both simultaneously, but before doing so, you need to fully understand the difference between the two. Without sufficient understanding of the difference you are likely to end up with a setup that does something different from what you anticipated.

The flow of a typical DNS resolution starts with a query being sent from a client to a recursor. The recursor sends queries to as many authoritative DNS servers as necessary in order to send a reply to the client.

One possible explanation for why it works when both servers are up and doesn't work when one is down, is that you configured one as a recursor and the other as authoritative. When both are up the client can send a query to the recursor which then asks the authoritative and the reply from the authoritative to the recursor is then sent to the client.

Communication between client and recursor does not look exactly like the communication between recursor and authoritative. Each DNS query has a bit which indicates which kind of query it is. And DNS responses will also indicate whether the responding server is a recursor. So though it is in some cases possible to get a reply back for the wrong kind of query, both client and server will have the opportunity to see that something is wrong and refuse to present an answer to the user.

If you want to configure a redundant pair of DNS servers, then configuring one as a recursor and the other as authoritative is definitely not what you want. A redundant pair means you configure one of them to be able to do what you want it to be able to do on its own, and then you configure the other the same way.

The DNS servers you specify in your network configuration must be recursors. So if you want those DNS servers to be in /etc/resolv.conf or some other network configuration file in /etc, then what you want is a redundant pair of recursors.

Additionally all of the tools host, nslookup, and dig by default sends queries suitable for sending to a recursor. If you want to use those tools directly against an authoritative server, you need to tell the tool so for example by using dig +norecurse.

Community
  • 1
kasperd
  • 29,894
  • 16
  • 72
  • 122
  • With the sentence "A DNS server can be configured to operate in one of two different ways. Either it operates as an authoritative DNS server for one or more zones, or it is a caching recursive resolver." the confusion for me got even bigger when the was no explanation of the difference before using the terms in the rest of the text - the concepts are still chinese to me – Wolfgang Fahl Oct 17 '15 at 14:49
  • @WolfgangFahl This paragraph explains the role of each: "The flow of a typical DNS resolution starts with a query being sent from a client to a recursor. The recursor sends queries to as many authoritative DNS servers as necessary in order to send a reply to the client." The point of this answer isn't to explain the difference between a recursor and an authoritative DNS server in details. Would a link to a more thorough explanation be useful to you? – kasperd Oct 17 '15 at 16:40
  • @WolfgangFahl I could include [this link](http://serverfault.com/q/422288/214507) in my answer if you think it is useful. – kasperd Oct 17 '15 at 16:48
  • http://serverfault.com/a/434196/162693 looks good – Wolfgang Fahl Oct 17 '15 at 17:00
  • @WolfgangFahl Yes, that looks like the best of the two answers to that question. – kasperd Oct 17 '15 at 17:09