Hi, - does your Fedora 40 host have any hosts defined in its local /etc/hosts? - on your IDM servers, do you have any DNS forwarder setup? kinit admin ipa dnsconfig-show ipa dnsserver-show $HOSTNAME_OF_SERVER1 ipa dnsserver-show $HOSTNAME_OF_SERVER2
flo On Wed, Aug 28, 2024 at 9:32 PM Ranbir via FreeIPA-users < [email protected]> wrote: > Hi Everyone, > > I'm running into a weird DNS resolution problem (at home) for an > external subdomain. > > rogersbank.com can be looked up from my Fedora 40 host joined to a two > server AlmaLinux 9 IdM domain: > > $ dig rogersbank.com > > ; <<>> DiG 9.18.28 <<>> rogersbank.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40375 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 65494 > ;; QUESTION SECTION: > ;rogersbank.com. IN A > > ;; ANSWER SECTION: > rogersbank.com. 20 IN A 23.9.149.95 > > ;; Query time: 26 msec > ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) > ;; WHEN: Wed Aug 28 13:39:18 EDT 2024 > ;; MSG SIZE rcvd: 5 > > > But, the lookup for rbaccess.rogersbank.com fails: > > $ dig rbaccess.rogersbank.com > ;; communications error to 127.0.0.53#53: timed out > ;; communications error to 127.0.0.53#53: timed out > ;; communications error to 127.0.0.53#53: timed out > > ; <<>> DiG 9.18.28 <<>> rbaccess.rogersbank.com > ;; global options: +cmd > ;; no servers could be reached > > > It doesn't actually work from any of the IdM enrolled hosts or the IdM > servers themselves. However, from outside my network, the name > rbaccess.rogersbank.com resolves without issue. > > $ dig @8.8.8.8 rbaccess.rogersbank.com > > ; <<>> DiG 9.18.28 <<>> @8.8.8.8 rbaccess.rogersbank.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49010 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;rbaccess.rogersbank.com. IN A > > ;; ANSWER SECTION: > rbaccess.rogersbank.com. > 72 IN CNAME rbaccess.rogersbank.tsysecom.com. > rbaccess.rogersbank.tsysecom.com. 0 IN A 67.231.80.94 > > ;; Query time: 48 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) > ;; WHEN: Wed Aug 28 15:18:27 EDT 2024 > ;; MSG SIZE rcvd: 111 > > > Here are the errors from query_errors.log: > > (rbaccess.rogersbank.com): query failed (timed out) for > rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 > > (rbaccess.rogersbank.com): query failed (timed out) for > rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 > > (rbaccess.rogersbank.com): query failed (timed out) for > rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 > > (rbaccess.rogersbank.tsysecom.com): query failed (SERVFAIL) for > rbaccess.rogersbank.tsysecom.com/IN/A at ../../../lib/ns/query.c:6659 > > > While trying to figure out what the problem is, I found the > "authoritative nameserver" setting for the zone had the name of a > decommissioned IdM host. I ran 'ipa-healthcheck --failures-only', got > an error for "ipa-ca" missing one of my two IdM servers, updated the > "authoritative nameserver" and saw no more DNS related failures > reported by ipa-healthcheck. But, the DNS resolution for > rbaccess.rogersbank.com is still failing. > > A couple of times the resolution has worked (ping was successful). I > don't understand what's happening. > > Anyone have any tips that would help me narrow this down? > > Thanks. > > -- > Ranbir > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
