MAAS DNS not forwarding requests

Users
, ,
#1

Hello,
I have maas set to forward dns requests to 10.254.100.1 and 10.254.100.2 but it doesn’t seem to be forwarding.

From the maas server:

root@nm-203-31:/home# nslookup api.home.weka.io
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find api.home.weka.io: SERVFAIL

When running the nslookup and tell it to use one of the forwarding dns server’s it works.

root@nm-203-31:/home# nslookup api.home.weka.io 10.254.100.1
Server: 10.254.100.1
Address: 10.254.100.1#53

Non-authoritative answer:
api.home.weka.io canonical name = api.home.prod.weka.io.
Name: api.home.prod.weka.io
Address: 54.77.97.234
Name: api.home.prod.weka.io
Address: 3.248.83.37
Name: api.home.prod.weka.io
Address: 52.49.69.116

DNS upstream is set as below:

Screen Shot 2022-04-08 at 4.38.47 PM
Screen Shot 2022-04-08 at 4.38.47 PM1238×284 20.9 KB

nslookup does some to resolve other outbound sites like yahoo.com, google.com etc and I’ve also restarted bind9 without success. Setting 8.8.8.8 as upstream didn’t seem to help either.

This is on MAAS 2.8.2 and the issue just suddenly happened.

1 Like
#2

I can’t explain why but it’s working now.

#3

had the same issue with bind and could not resolve any TLD .com .io domains yet the resolution of .net .ch .fr would just work without any problems.

In the UI I disabled the DNSSEC as I got some errors in the logs concerning verification:

Apr 06 19:30:52 maas named[2988120]: validating io/SOA: got insecure response; parent indicates it should be secure
Apr 06 19:30:52 maas named[2988120]: no valid RRSIG resolving 'docker.io/DS/IN': 10.10.10.102#53
Apr 06 19:30:52 maas named[2988120]: validating io/DNSKEY: got insecure response; parent indicates it should be secure
Apr 06 19:30:52 maas named[2988120]: insecurity proof failed resolving 'io/DNSKEY/IN': 10.10.10.102#53

Yet this action does restart the named/bind service and then magically solved the issue.
I am still in conversation with Canonical to find out the root cause of this one.

#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

#5

marking this particular one as solved, since it’s working now, but @erickeller, can you get your conversation with Canonical linked into this post, so we can follow it?

#6