Two servers, zone transfers do not work, servers cannot resolve the other one

[damjank12]

Hello.

I have crated two VMs, each in other VLAN. One will be in charge of core and another in prod. If I add record in either one, locally I can resolve those records, but asking another server, I get either no answer or NXDOMAIN. I have turned off DNSSEC on both server. Also, I have tried to add secondary zone on either server, just to transfer zones between them. I cannot do that as each server is giving me "Error! DNS Server failed to find SOA record for: prod.sidk.lab" and vice versa - even if I add IP address of the correct DNS server. Also, I have given correct permissions and notification of the correct IP addresses of destination DNS.

So I think I am facing two issues but from one core - each server will not reply that it is the master for the zone, even though it is configured as master and SOA.

Here is the setup details:

VLAN0 - core - 172.21.4.20, master for core.sidk.lab VLAN5 - prod - 172.21.8.20, master for prod.sidk.lab

I cannot resolve other DNS master zone getting Non-authoritative answer: *** Can't find core.sidk.lab: No answer

If trying specific record from core to prod i get ** server can't find net-mgmt-2.prod.sidk.lab: NXDOMAIN

If trying specific record from prod to core i get *** Can't find net-mgmt-1.core.sidk.lab: No answer

There is NO firewall between those servers and there is no firewall on servers at all (at least until I get this working).

Thanks in advance! D

[ShreyasZare]

Thanks for the post. From your description it seems like connectivity issue between both servers. Use the DNS Client tab on the server you plan to create a secondary zone and set the primary server's IP in there and query for the zone to test if you get a response.

If you get a response successfully then try to add the secondary zone and specify the primary server's IP when creating it since your zone is not public and thus the primary zone cannot be resolved otherwise. If the DNS Client test was successful then the secondary zone creation process will be able to resolve SOA record.

Try that and post here if you still have any issue. Also, do check the DNS logs from the panel once when you have any issues to see if any error was logged for it.

[damjank12]

So I already checked that - below is the data from my attempt and since both of the servers respond same way, I posted result only from one.

If I choose TCP instead of UDP, this is the respond I get:

{
  "Metadata": {
    "NameServer": "172.21.8.20",
    "Protocol": "Tcp",
    "DatagramSize": "117 bytes",
    "RoundTripTime": "33.87 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 512,
    "ExtendedRCODE": "NxDomain",
    "Version": 0,
    "Flags": "None",
    "Options": []
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NxDomain",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 1,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "prod.sidk.lab",
      "Type": "SOA",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [
    {
      "Name": "",
      "Type": "SOA",
      "Class": "IN",
      "TTL": "86346 (23 hours 59 mins 6 sec)",
      "RDLENGTH": "64 bytes",
      "RDATA": {
        "PrimaryNameServer": "a.root-servers.net",
        "ResponsiblePerson": "nstld@verisign-grs.com",
        "Serial": 2023072700,
        "Refresh": 1800,
        "Retry": 900,
        "Expire": 604800,
        "Minimum": 86400
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "512",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

Just to show, there is no port blockage from either one:

ssh damjank@172.21.4.20
damjank@net-mgmt-1:~$ hostname
net-mgmt-1
damjank@net-mgmt-1:~$ hostname -I
172.21.4.20
damjank@net-mgmt-1:~$ date
Thu Jul 27 11:37:37 BST 2023
damjank@net-mgmt-1:~$ telnet 172.21.8.20 53
Trying 172.21.8.20...
Connected to 172.21.8.20.
Escape character is '^]'.

and in the log of this particular server, there is only this for today:

[2023-07-27 10:29:05 UTC] Logging started.
[2023-07-27 10:29:05 UTC] DNS Server auth config file was saved: /etc/dns/auth.config
[2023-07-27 10:30:20 UTC] [192.168.129.2:55357] [admin] User logged in.
[2023-07-27 10:30:22 UTC] [192.168.129.2:55361] Check for update was done {updateAvailable: False; updateVersion: 11.3; updateTitle: New Update (v11.3) Available!; updateMessage: Follow the instructions from the link below to update the DNS server to the latest version. Read the change logs before installing this update to know if there are any breaking changes.; instructionsLink: https://blog.technitium.com/2017/11/running-dns-server-on-ubuntu-linux.html; changeLogLink: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md;}
[2023-07-27 10:30:30 UTC] DNS Server auth config file was saved: /etc/dns/auth.config

[ShreyasZare]

It seems that the DNS server is not listening on UDP port 53 for some reason while TCP is working as expected. Check if you have any other process that is using the UDP port 53 by running netstat -nlpu | grep ":53" command. You can also restart the DNS server and check the DNS logs to confirm if it was bound to the UDP port.

Since TCP is working and you got an NXDOMAIN response, it means that there is no prod.sidk.lab primary zone or that it is disabled. OR looking at the OPT record in the TCP response where the class is 512, it seems that the response is coming from a totally different DNS server since Technitium DNS server will by default have class set to 1232 value unless you have changed the default value in Settings.

[damjank12]

So here is the result of the netstat (I used ss but the result is the same):

root@net-mgmt-1:~# ss -tulnp
Netid         State          Recv-Q         Send-Q                 Local Address:Port                 Peer Address:Port        Process
udp           UNCONN         0              0                            0.0.0.0:53                        0.0.0.0:*            users:(("dotnet",pid=715,fd=198))
udp           UNCONN         0              0                               [::]:53                           [::]:*            users:(("dotnet",pid=715,fd=200))
tcp           LISTEN         0              128                          0.0.0.0:22                        0.0.0.0:*            users:(("sshd",pid=441,fd=3))
tcp           LISTEN         0              100                          0.0.0.0:53                        0.0.0.0:*            users:(("dotnet",pid=715,fd=199))
tcp           LISTEN         0              512                                *:5380                            *:*            users:(("dotnet",pid=715,fd=197))
tcp           LISTEN         0              128                             [::]:22                           [::]:*            users:(("sshd",pid=441,fd=4))
tcp           LISTEN         0              100                             [::]:53                           [::]:*            users:(("dotnet",pid=715,fd=201))

No settings have ben modified on the web interface or in the config files - al zones are enabled and active. Can you direct me where to check class 512/1232 please?

EDIT: also adding log file after restart of the dns.service:

[2023-07-27 10:29:05 UTC] Logging started.
[2023-07-27 10:29:05 UTC] DNS Server auth config file was saved: /etc/dns/auth.config
[2023-07-27 10:30:20 UTC] [192.168.129.2:55357] [admin] User logged in.
[2023-07-27 10:30:22 UTC] [192.168.129.2:55361] Check for update was done {updateAvailable: False; updateVersion: 11.3; updateTitle: New Update (v11.3) Available!; updateMessage: Follow the instructions from the link below to update the DNS server to the latest version. Read the change logs before installing this update to know if there are any breaking changes.; instructionsLink: https://blog.technitium.com/2017/11/running-dns-server-on-ubuntu-linux.html; changeLogLink: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md;}
[2023-07-27 10:30:30 UTC] DNS Server auth config file was saved: /etc/dns/auth.config
[2023-07-27 10:57:51 UTC] [192.168.129.2:55907] [admin] Forwarder zone was deleted: prod.sidk.lab
[2023-07-27 10:57:51 UTC] Deleted zone file for domain: prod.sidk.lab
[2023-07-27 10:58:01 UTC] DNS Server auth config file was saved: /etc/dns/auth.config
[2023-07-27 11:01:53 UTC] DHCP Server successfully unloaded scope: core
[2023-07-27 11:01:53 UTC] Saving DNS Cache to disk...
[2023-07-27 11:01:53 UTC] DNS Cache was saved to disk successfully.
[2023-07-27 11:01:53 UTC] DNS Server (v11.3.0.0) was stopped successfully.
[2023-07-27 11:01:53 UTC] Logging stopped.
[2023-07-27 11:01:53 UTC] Logging started.
[2023-07-27 11:01:53 UTC] DNS Server auth config file was loaded: /etc/dns/auth.config
[2023-07-27 11:01:53 UTC] DNS Server config file was loaded: /etc/dns/dns.config
[2023-07-27 11:01:53 UTC] DNS Server successfully loaded zone file: /etc/dns/zones/ntp.org.zone
[2023-07-27 11:01:53 UTC] DNS Server successfully loaded zone file: /etc/dns/zones/4.21.172.in-addr.arpa.zone
[2023-07-27 11:01:53 UTC] DNS Server successfully loaded zone file: /etc/dns/zones/core.sidk.lab.zone
[2023-07-27 11:01:53 UTC] DNS Server is loading allowed zone file: /etc/dns/allowed.config
[2023-07-27 11:01:53 UTC] DNS Server is loading blocked zone file: /etc/dns/blocked.config
[2023-07-27 11:01:53 UTC] Loading DNS Cache from disk...
[2023-07-27 11:01:53 UTC] DNS Cache was loaded from disk successfully.
[2023-07-27 11:01:53 UTC] [[::]:5380] [HTTP] Web Service was bound successfully.
[2023-07-27 11:01:53 UTC] [0.0.0.0:53] [UDP] DNS Server was bound successfully.
[2023-07-27 11:01:53 UTC] [0.0.0.0:53] [TCP] DNS Server was bound successfully.
[2023-07-27 11:01:53 UTC] [[::]:53] [UDP] DNS Server was bound successfully.
[2023-07-27 11:01:53 UTC] [[::]:53] [TCP] DNS Server was bound successfully.
[2023-07-27 11:01:53 UTC] DHCP Server successfully loaded scope: core
[2023-07-27 11:01:53 UTC] DHCP Server successfully loaded scope file: /etc/dns/scopes/core.scope
[2023-07-27 11:01:53 UTC] DNS Server (v11.3.0.0) was started successfully.
[2023-07-27 11:02:03 UTC] DNS Server auth config file was saved: /etc/dns/auth.config
[2023-07-27 11:02:03 UTC] DNS Server failed to notify name server '172.21.8.20' (RCODE=NotAuth) for zone : core.sidk.lab
[2023-07-27 11:02:53 UTC] DNS Server failed to notify name server '172.21.8.20' for zone: 4.21.172.in-addr.arpa
TechnitiumLibrary.Net.Dns.DnsClientNoResponseException: DnsClient failed to resolve the request '4.21.172.in-addr.arpa. SOA IN': request timed out.
 ---> System.Net.Sockets.SocketException (110): Connection timed out
   at TechnitiumLibrary.Net.SocketExtensions.UdpQueryAsync(Socket socket, ArraySegment`1 request, ArraySegment`1 response, IPEndPoint remoteEP, Int32 timeout, Int32 retries, Boolean expBackoffTimeout, Func`2 isResponseValid, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\SocketExtensions.cs:line 143
   at TechnitiumLibrary.Net.Dns.ClientConnection.UdpClientConnection.QueryAsync(DnsDatagram request, Int32 timeout, Int32 retries, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\UdpClientConnection.cs:line 196
   --- End of inner exception stack trace ---
   at TechnitiumLibrary.Net.Dns.ClientConnection.UdpClientConnection.QueryAsync(DnsDatagram request, Int32 timeout, Int32 retries, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\UdpClientConnection.cs:line 201
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass72_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4092
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass72_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4270
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass72_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4020
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4369
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalNoDnssecResolveAsync(DnsDatagram request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4383
   at DnsServerCore.Dns.Zones.ApexZone.NotifyNameServerAsync(DnsServer dnsServer, String nameServerHost, IReadOnlyList`1 nameServers) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\Zones\ApexZone.cs:line 359
[2023-07-27 11:03:47 UTC] [192.168.129.2:55945] Check for update was done {updateAvailable: False; updateVersion: 11.3; updateTitle: New Update (v11.3) Available!; updateMessage: Follow the instructions from the link below to update the DNS server to the latest version. Read the change logs before installing this update to know if there are any breaking changes.; instructionsLink: https://blog.technitium.com/2017/11/running-dns-server-on-ubuntu-linux.html; changeLogLink: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md;}

[ShreyasZare]

Thanks for the details. Enable Log All Queries option from Settings > Logging section on the primary server and query again from the secondary server's DNS Client tab. Check if you see a log entry for the request. This will confirm if the request is indeed being answered by the primary server.

Can you direct me where to check class 512/1232 please?

You will find this as EDNS UDP Payload Size in Settings > General section.

[damjank12]

Installed sqlite, tried logs after I did query - no results, nothing there, also nothing in the standard logs. I can also confirm that EDNS UPS is at 1232.

By the way - if I query each other DNS server for external domain, like ubuntu.com, each resolves it correctly and gives reply to them - just local primary/master zones are "not known"

[ShreyasZare]

It seems that the DNS requests between both the VLANs are being answered by your router which is why you do not see any entries in the logs. Check your router's config once to see if it is hijacking all DNS requests.

[damjank12]

Oh my... I feel so dumb - in actuality there was unifi between doing some filtering; i disabled it now and they can clearly see each other without issue. I added secondaries on them - now I am facing expired issue and I can see in log that the notification failed... I am investigating further if there could be still some filtering issue...

[ShreyasZare]

Good to know that you found out the issue. Check the primary server's DNS logs to know why the secondary didn't sync. Make sure that you have NS record for the secondary server and that the domain name in the NS record resolved to an IP from which the secondary server will be initiating the zone transfer.

[damjank12]

misconfiguration on my part - I was to hasty. It was actually notification and allowance of transfer of foreign zone - once I fixed that, I am in all green. Thank you!!

[ShreyasZare]

Good to know that its all working well.