I am running a bunch of services inside a AWS EKS cluster. Using below service as an example.
$ k get svc redis -n production
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
redis ClusterIP 10.100.215.197 <none> 6379/TCP 2y73d
When I use dig to find out the reverse dns record, it shows below:
root#server-684c765d78-6z4wv:/app# dig -x 10.100.215.197
; <<>> DiG 9.16.37-Debian <<>> -x 10.100.215.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15985
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 784136d1092b3acc (echoed)
;; QUESTION SECTION:
;197.215.100.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
197.215.100.10.in-addr.arpa. 5 IN PTR redis.production.svc.cluster.local.
;; Query time: 0 msec
;; SERVER: 10.100.0.10#53(10.100.0.10)
;; WHEN: Sun Feb 05 05:04:40 UTC 2023
;; MSG SIZE rcvd: 143
However, if I add a record type parameter any, it shows
root#server-684c765d78-6z4wv:/app# dig -x 10.100.215.197 any
; <<>> DiG 9.16.37-Debian <<>> -x 10.100.215.197 any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10130
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;197.215.100.10.in-addr.arpa. IN ANY
;; ANSWER SECTION:
197.215.100.10.in-addr.arpa. 30 IN PTR ip-10-100-215-197.us-east-2.compute.internal.
;; Query time: 4 msec
;; SERVER: 10.100.0.10#53(10.100.0.10)
;; WHEN: Sun Feb 05 05:04:42 UTC 2023
;; MSG SIZE rcvd: 141
My question is why it shows two different results redis.production.svc.cluster.local. and ip-10-100-215-197.us-east-2.compute.internal.? and what are their relation?
Related
I dont have a systemd-resolved, I have installed dnsmasq. nslookup shows concerned consul servers and master tagged server. but doesnt show replica tagged servers or ping any of consul domains.
I have systemd 219 and OL7. Currently node01 is the master. I am trying to ping or connect psql from within the same consul server.
bash-4.2$ psql -U postgres -h master.postgres-cluster.service.consul -p 6432
psql: could not translate host name "master.postgres-cluster.service.consul" to address: Name or service not known
bash-4.2$ consul members
Node Address Status Type Build Protocol DC Partition Segment
node1 node1_ip:8301 alive server 1.14.4 2 dc1 default <all>
node2 node2_ip:8301 alive server 1.14.4 2 dc1 default <all>
node3 node3_ip:8301 alive server 1.14.3 2 dc1 default <all>
bash-4.2$ dig #127.0.0.1 -p 8600 consul.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> #127.0.0.1 -p 8600 consul.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45170
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A node2_ip
consul.service.consul. 0 IN A node3_ip
consul.service.consul. 0 IN A node1_ip
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Feb 14 17:46:38 GMT 2023
;; MSG SIZE rcvd: 98
bash-4.2$ dig #127.0.0.1 -p 8600 postgres-cluster.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> #127.0.0.1 -p 8600 postgres-cluster.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31501
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;postgres-cluster.service.consul. IN A
;; ANSWER SECTION:
postgres-cluster.service.consul. 0 IN A node1_ip
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Feb 14 17:46:46 GMT 2023
;; MSG SIZE rcvd: 76
bash-4.2$ dig #127.0.0.1 -p 8600 consul.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> #127.0.0.1 -p 8600 consul.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31321
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A node1_ip
consul.service.consul. 0 IN A node3_ip
consul.service.consul. 0 IN A node2_ip
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Feb 14 18:02:48 GMT 2023
;; MSG SIZE rcvd: 98
bash-4.2$ dig #127.0.0.1 -p 8600 postgres-cluster.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> #127.0.0.1 -p 8600 postgres-cluster.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31556
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;postgres-cluster.service.consul. IN A
;; ANSWER SECTION:
postgres-cluster.service.consul. 0 IN A node1_ip
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Feb 14 18:03:06 GMT 2023
;; MSG SIZE rcvd: 76
bash-4.2$ ping master.postgres-cluster.service.consul
ping: master.postgres-cluster.service.consul: Name or service not known
bash-4.2$ dig #127.0.0.1 -p 8600 replica.postgres-cluster.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> #127.0.0.1 -p 8600 replica.postgres-cluster.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35176
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;replica.postgres-cluster.service.consul. IN A
;; AUTHORITY SECTION:
consul. 0 IN SOA ns.consul. hostmaster.consul. 1676397839 3600 600 86400 0
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Feb 14 18:03:59 GMT 2023
;; MSG SIZE rcvd: 118
bash-4.2$ dig #127.0.0.1 -p 8600 master.postgres-cluster.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> #127.0.0.1 -p 8600 master.postgres-cluster.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20545
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.postgres-cluster.service.consul. IN A
;; ANSWER SECTION:
master.postgres-cluster.service.consul. 0 IN A node1_ip
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Tue Feb 14 18:04:18 GMT 2023
;; MSG SIZE rcvd: 83
bash-4.2$ cat /etc/resolv.conf
search ourdomain.com
nameserver our_ns1
nameserver our_ns2
nameserver 127.0.0.1
If I dont specify name server in nslookup, it still fails;
bash-4.2$ nslookup consul.service.consul
Server: ns1
Address: ns1#53
** server can't find consul.service.consul: NXDOMAIN
bash-4.2$ nslookup postgres-cluster.service.consul 127.0.0.1 -port=8600
Server: 127.0.0.1
Address: 127.0.0.1#8600
Name: postgres-cluster.service.consul
Address: pgnod01_ip (current master)
bash-4.2$ nslookup consul.service.consul 127.0.0.1 -port=8600
Server: 127.0.0.1
Address: 127.0.0.1#8600
Name: consul.service.consul
Address: pgnode03_ip
Name: consul.service.consul
Address: pgnode02_ip
Name: consul.service.consul
Address: pgnode01_ip
The resolv.conf file will only use another nameserver only if the query times out.
If there are multiple servers, the resolver library queries them in the order listed. If no nameserver entries are present, the default is to use the name server on the local machine. (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)
Given your use case, I would only keep the dnsmasq server in the resolv.conf file and update the configuration for dnsmasq to handle the queries using your custom nameservers.
Example:
resolv.conf
cat /etc/resolv.conf
search ourdomain.com
nameserver 127.0.0.1
dnsmasq configuration:
server=/consul/127.0.0.1#8600
server=our_ns1
server=our_ns2
I was able to start an unbound server and now can succecifuly use the dig command but can't use any other command due to name resolution failing.
$ dig one.one.one.one
; <<>> DiG 9.16.1-Ubuntu <<>> one.one.one.one
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37768
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;one.one.one.one. IN A
;; ANSWER SECTION:
one.one.one.one. 286 IN A 1.1.1.1
one.one.one.one. 286 IN A 1.0.0.1
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 23 15:37:34 JST 2022
;; MSG SIZE rcvd: 76
$ ping one.one.one.one
ping: one.one.one.one: Temporary failure in name resolution
needed to add loopback address to /etc/resolv.conf
Youtube and Netflix operate on Content Distributed Networks probably. I realized that Youtube operates on Google and Netflix on Amazon Web services. So, I can't exactly get the IPs on which they operate. Youtube is under AS Number 15169 i.e belongs to google and Netflix responds using several ASNs belonging to AWS like 15609 and 14168.
So, IP ASN lookups like
'curl https://api.hackertarget.com/aslookup/?q=AS15169'
will provide wrong answers I think as they list all IPs of google also.
dig youtube.com
provides
; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36383
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 300 IN A 172.217.161.142
;; Query time: 599 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 19 04:21:33 IST 2020
;; MSG SIZE rcvd: 56
which is same as the one obtained by pinging youtube but the address changes if we change our location using VPNs
dig netflix.com
provides
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13053
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 60 IN A 54.71.93.100
netflix.com. 60 IN A 54.149.160.164
netflix.com. 60 IN A 35.166.180.66
netflix.com. 60 IN A 35.165.194.49
netflix.com. 60 IN A 52.41.168.84
netflix.com. 60 IN A 34.208.21.204
netflix.com. 60 IN A 54.68.234.134
netflix.com. 60 IN A 52.34.38.200
;; Query time: 581 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 19 04:21:14 IST 2020
;; MSG SIZE rcvd: 168
It also changes with VPNs.
It will be great if I can obtain confirmed IPs used by Youtube and Netflix.
I have two mirrored forward DNS server(for simplifying, named f1, f2) which forward some domain request to my authoritative DNS server(also named a1, a2), I added some new domain to my authoritative DNS server, but when I nslookup the new domain from f1 or f2, I got Non-existent domain error like the following. If I nslookup from a1 or a2, it worked.
C:\Users\Liu.D.H>nslookup www.yqsbfiles.ynu.edu.cn
Server: ynu-public-dns-a.ynu.edu.cn
Address: 113.55.13.51
*** ynu-public-dns-a.ynu.edu.cn can't find www.yqsbfiles.ynu.edu.cn: Non-existent domain
C:\Users\Liu.D.H>
I also used dig to get more debug info.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.52
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.52
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28130
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; AUTHORITY SECTION:
ynu.edu.cn. 9936 IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. 2016062301 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 113.55.13.52#53(113.55.13.52)
;; WHEN: Fri Jun 08 10:44:35 China Standard Time 2018
;; MSG SIZE rcvd: 101
C:\Users\Liu.D.H>
But the strange thing was that if I did rndc flush on one of f1 or f2, then I can request successfully.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.51
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4168
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; ANSWER SECTION:
www.yqsbfiles.ynu.edu.cn. 86400 IN CNAME lb-http.ynu.edu.cn.
lb-http.ynu.edu.cn. 86393 IN A 202.203.208.41
;; AUTHORITY SECTION:
ynu.edu.cn. 86391 IN NS secdns.ynu.edu.cn.
ynu.edu.cn. 86391 IN NS pridns.ynu.edu.cn.
;; ADDITIONAL SECTION:
pridns.ynu.edu.cn. 86396 IN A 202.203.208.33
pridns.ynu.edu.cn. 86396 IN AAAA 2001:250:2800:2::33
secdns.ynu.edu.cn. 86391 IN A 202.203.208.34
secdns.ynu.edu.cn. 86391 IN AAAA 2001:250:2800:2::34
;; Query time: 2 msec
;; SERVER: 113.55.13.51#53(113.55.13.51)
;; WHEN: Fri Jun 08 10:43:02 China Standard Time 2018
;; MSG SIZE rcvd: 221
C:\Users\Liu.D.H>
I noticed that this two dig output had something different in AUTHORITY SECTION.
Any help would be appreciated. Thanks in advance.
You need to register the Authoritative Domain name server with the domain registrar for your new domain pointing to a1 and a2. After that it will work fine.
After upgrading from bind 9.11 to 9.12, Windows (but not Linux) clients on the network started barfing "server not found" error messages for some sites. after a thorough investigation, the problem seems to be that bind 9.12 doesn't send additional data in DNS replies for out of zone cnames and Windows just doesn't do the recursion.
reply from 9.12:
; <<>> DiG 9.12.0 <<>> imap.asterix.cz #europa.podgorny.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23207
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d5fa7daebf3a1ffe1805060a5a9d352ffebb15250033a69e (good)
;; QUESTION SECTION:
;imap.asterix.cz. IN A
;; ANSWER SECTION:
imap.asterix.cz. 2463 IN CNAME admiral.podgorny.cz.
;; Query time: 2 msec
;; SERVER: 2002:2e24:2741:9900::1#53(2002:2e24:2741:9900::1)
;; WHEN: Mon Mar 05 13:16:47 CET 2018
;; MSG SIZE rcvd: 105
reply from 9.11:
; <<>> DiG 9.12.0 <<>> imap.asterix.cz #taurus.asterix.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50822
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 618a6ee9520f91081b7089bf5a9d356ab7eca595939a467c (good)
;; QUESTION SECTION:
;imap.asterix.cz. IN A
;; ANSWER SECTION:
imap.asterix.cz. 3600 IN CNAME admiral.podgorny.cz.
admiral.podgorny.cz. 3235 IN A 46.36.39.65
;; AUTHORITY SECTION:
podgorny.cz. 1256 IN NS ns3.podgorny.cz.
podgorny.cz. 1256 IN NS ns2.podgorny.cz.
podgorny.cz. 1256 IN NS ns1.podgorny.cz.
;; Query time: 52 msec
;; SERVER: 2002:2e24:2741:8800::1#53(2002:2e24:2741:8800::1)
;; WHEN: Mon Mar 05 13:17:46 CET 2018
;; MSG SIZE rcvd: 173
so, it seems like there's more questions to ask:
How do I make bind 9.12 return full replies? (it seems they removed the additional-from-cache and additional-from-auth configuration settings)
How do I make Windows resolver do the recursion?
What is the "correct" way of solving this? is it Windows' fault? or is bind's default setting bad? is there a rfc for this?
This is a bug in 9.12.0 that was fixed now 9.12.1.
https://kb.isc.org/article/AA-01598/0/BIND-9.12.1-Release-Notes.html