Where are DNS resolvers pulled from with dnspython? - python-3.x

I am trying to develop a python script using dnspython to do forward lookups by hostname only instead of FQDN. This obviously has a dependency on DHCP Option 15(connection specific DNS Suffix). When I do:
from dns import resolver
servs = resolver.Resolver()
print(servs.nameservers)
I see a DNS resolver that is not a part of the list of DNS servers in ipconfig /all. This DNS server sometimes causes issues because sometimes this is the first DNS server that dnspython uses for lookups. How can I find out where this DNS server is coming from and how can I get rid of it?
UPDATE
I just ran Get-DnsClientServerAddress in power shell and that rouge DNS server does not show up as a known DNS server for any of my interfaces

Related

Ubuntu 18.04 - How can I ignore offline DNS servers?

My case is as follows:
While at office, I use site-to-site VPN and my DNS servers are part of the office domain, which can be accessed only through the VPN.
While at home, I can connect to point-to-site VPN and DNS is working just fine.
The problem occurs while not connecting to the VPN in either way. I'm using systemd-resolved and my first 2 DNS servers are the domains servers, while the rest of the DNS servers can be reached without VPN.
Every request is sent to the first 2 servers, waiting for their response and since they are unreachable, it will take a few seconds for each request to reach a working DNS server.
My question is, can I set the system to ignore unreachable DNS servers for defined time before trying them again?
You can use work around with simplest script. If your VPN is off just change DNS. like this for example.
status=$(systemctl is-active --quiet service "your vpn site-to-site.service" && echo "running" );
if [ "$status" != "running" ]
then
"put your command here to change DNS when VPN is OFF"
else
"put your command here to change DNS when VPN is ON"
fi
Of course you can also checking current DNS settings to prevent no needed
the same changes in file if you will use cron for example.
I can help you with this script, but I need to see your
/etc/systemd/resolved.conf first. Of course without original IP
Your DNS settings should also be dynamically configured. If (for whatever strange reason) that is not possible, you have two options:
You can do some tweaking in your /etc/resolv.conf by adding line
options timeout:1
This will make internal resolver wait max. 1 second for answer before trying the next nameserver (default value is 5)
Install local DNS server, preferably lightweight one like dnsmasq or unbound. Configure it to forward requests for "example.com" to your internal DNS servers, and all other requests to default (public) DNS servers. Configure your OS resolver to use local DNS server.

Alternative to glibc Library call res_ninit for getting DNS details over DHCP

Is there a good API alternative to res_ninit?
There are problems with this call because the res->_u.ext.nscount6 and res->nscount do not reflect correct numbers. Adding a IPv6 address to /etc/resolv.conf still results in the nscount increasing where you would have expected the nscount6 to increase.
An older glibc version seems to increase both nscount and nscount6 for a IPv6 address in /etc/resolv.conf.
I am currently parsing resolv.conf directly because i am unable to depend on the res_ninit call. But this is fine for Manual DNS.
When it comes to DHCP DNS, then i need an API to give me the result. There is no other way (that i can think of) to determine the DNS IP addresses over DHCP.
Tried posting in other places within the board but not of help so far. E.g.
Retrieve IPv4 and IPv6 nameservers programmatically
res_ninit and res_init only ever read name server information from /etc/resolv.conf. You can always get the same data name servers by parsing /etc/resolv.conf yourself and examining the nameserver lines. If there is no nameserver line, the default 127.0.0.1 will be used.
I don't think it is necessary to provide an API for that because the file format is so simple that is likely more difficult to use the API than to read the file instead.
Name server assignment over DHCP is implemented by rewriting /etc/resolv.conf if there is no local caching resolver running on the machine. The exact mechanism used for that is distribution-specific, e.g. Debian uses resolvconf if it is installed.
If a local caching resolver is running on the system (such as dnsmasq or Unbound), name servers over DHCP can be directly configured in that caching resolver. In this case, /etc/resolv.conf will keep pointing to the same name server, typically by listing nameserver 127.0.0.1 or no name server information at all (which is the default).

DNS invalid records

I am having a bit of a head ache trying to setup my own HA solution with docker and nginx in the front acting as a load balancer.
They are actually configured by now. But as a fallback if the main node shuts down, I want to use another one since the nginx configuration for load balancing is replicated.
I thought that if I have two nodes, both set up with PowerDNS (alongside with nginx and docker), and I set those DNS servers to one of my domains, when a node shuts down, since the node is carrying the DNS server, subsequent requests will fetch the info from the other DNS server, in which the A record is configured to point to the local IP (and that way, points to the other load balancer).
Seems like I can't make that work.
Given that I have the following servers:
server_1 IP = 1.1.1.1
server_2 IP = 1.1.2.2
Each of them have a DNS server set up with PowerDNS (and fully functional, according to dig and other tests).
I got my domain DNS servers pointing to them:
ns1.example.com ---> 1.1.1.1
ns2.example.com ---> 1.1.2.2
ns1.example.com DNS server has:
example2.com A 1.1.1.1
ns2.example.com DNS server has:
example2.com A 1.1.2.2
So. Shouldn't example2.com point to 1.1.1.1/1.1.2.2 when both servers are running, but when the first server is not available, point to 1.1.2.2?
Well. When I shut down the first server and try, it gives me the IP of the first server instead of the second.
Even dig example2.com #ns2.example.com is giving me the IP defined in the A record for example2.com in the first DNS server.
Am I wrong, or there's something weird here?
I don't know where you got the idea that name servers are listed in some sort of priority order, but it's just plain wrong. All name servers authoritative for a zone are expected to have exactly the same content. Resolvers chose name servers to ask at random, to spread the load between them. Providing the authoritative servers with differing contents will only give the end users inconsistent results, not anything useful.
Also, you have forgotten that resolvers cache the answers they get. Even if DNS had worked as you thought (which is doesn't), it would have taken a resolver minutes or hours to notice the "failover".

DNS: internal and external nameservers

So, I'm on day 3...
I am running an Ubuntu.64-based distribution on a VirtualBox. I have the need to access both external ISP DNS servers, as well as "internal" DNS servers through an OpenVPN connection. At times I need to query the external DNS(#host example.com) through the eth0 interface; sometimes I need to query the VPN "internal" DNS (#host internal.local) through the tap0 interface.
My question is: how do I configure my system to query the correct nameserver-- the ISP DNS or the VPN DNS (for attempting zone transfers, for example)?
I've tried editing resolv.conf to include both external and internal nameservers/domains, with no luck (obviously). I've also tried mitigating the situation with dnsmasq. That got me close (I think).
I realize I can use dig to set the [#server] based on individual queries, but I would appreciate a systemic resolution.
Any help would be appreciated.
I've used the PowerDNS recursor for exactly this situation before; it is in the package pdns-recursor, if you wish to try it. You'll want to set your /etc/resolv.conf to query only 127.0.0.1 should you choose to try this approach.
The forward-zones directive lets you specify which servers to contact for which zones:
forward-zones= ds9a.nl=213.244.168.210, powerdns.com=127.0.0.1
It does look a little strange, since it is one configuration setting that takes multiple values, but you do get to specify exactly which servers are going to provide answers for which domains.

Ping Failure Without IPv6

Our user interface is communicating with another application on a different machine, often connecting using domain names.
On our network, when IPv6 is installed, DNS name resolution works great, all machines can be pinged and contacted fine.
When IPv6 is uninstalled, pinging the same DNS names returns an IP address on some distant subnet (24.28.193.9; local subnet is 192.168.1.1); our application is then unable to communicate. When IPv6 is reinstalled, the DNS resolution corrects itself.
Even without IPv6 when ping is not working, I can still browse other machines using Windows Explorer by entering \\\\MACHINE_NAME\\. I'm not sure why the name resolution seems to work here. We are working in the Windows XP SP2 environment.
The IPs of the machines can be pinged successfully. It is only the DNS names that do not resolve properly.
I looked for the address of our DNS server. All of our computers are pointing at the network gateway, which is a wireless router. The router has the same DNS server address listed when IPv6 is installed as it does when it isn't installed.
The strangest thing is that I just discovered that it does not matter what DNS name I ping. All pings to DNS names return the same address: "24.28.193.9".
I tried flushing the DNS Resolver Cache and registering DNS on the target machine and the source machine. All to no avail. The only DNS name that I can ping is the name of the current machine.
Any thoughts as to why our software can't communicate without IPv6 installed?
UPDATE:
OK, I've done a little more research now.
I looked for the address of our DNS server. All of our computers are pointing at the network gateway, which is a wireless router. The router has the same DNS server address listed when IPv6 is installed as it does when it isn't installed.
The strangest thing is that I just discovered that it does not matter what DNS name I ping. All pings to DNS names return the same address: "24.28.193.9".
I tried flushing the DNS Resolver Cache and registering DNS on the target machine and the source machine. All to no avail. The only DNS name that I can ping is the name of the current machine.
Any other suggestions? Thanks so much for your help.
You've got multiple things going on here
DNS Name resolution
Windows Name resolution
IP-IP ICMP communication
You've written your question as if there's a problem with #3, but everything you describe points to the problem actually being with #1. If you take resolution out of the question, can you ping the correct IPs with our without IPv6 installed?
It sounds like maybe you have an IPv6 name server installed that has correct information and the IPv4 name server is incorrect? Are you receiving name servers via DHCP or hard coding? What are the IPs of the name servers you are using when IPv6 is installed and when it isn't?
I know this is a late answer, but in case someone else has the same problem, the key is the IP address, "24.28.193.9". A quick Google search reveals it seems to be related to your ISP completely breaking the DNS protocol by returning a fixed IP address for all non-existent domain names (the correct answer would be NXDOMAIN). Your network gateway is most probably just forwarding your queries to your ISP's name servers.
Your systems are relying on the correct operation of the DNS protocol. They are expecting a NXDOMAIN answer before querying the name via other methods (most probably NetBIOS name resolution). Since the DNS server is completely broken and returning an incorrect answer, the correct address is never looked up.
The reason installing or uninstalling IPv6 changes the situation is most probably because something related to it is changing the name resolution order (to look up using other methods before trying DNS). So, a workaround would be to change the name resolution order yourself.
The real fix would be to either change to a better ISP (one which does not break established protocols) or run your own DNS server (which is what I started doing on all systems I administer ever since VeriSign pulled a similar stunt; theirs was even worse in that changing ISPs made no difference at all).
References:
Warning: Road Runner DNS says nonexistent domains exist

Resources