DNS answering with adresses it shouldn't know

UCS - Univention Corporate Server
#1

I setup dns on my UCS server as follows:

# ucr search --brief ^nameserv dns/forward
connector/s4/mapping/dns/forward_zone/.*/static/ipv4: <empty>
connector/s4/mapping/dns/forward_zone/.*/static/ipv6: <empty>
dns/forwarder1: <DNS1>
dns/forwarder2: <DNS2>
dns/forwarder3: <DNS3>
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: <UCS-IP>
nameserver2: <empty>
nameserver3: <empty>

Now I get the phenomenon that, despite me running rndc flush multiple times, a dig @localhost google.com returns 4 IPv4 and 4 IPv6 adresses, despite the three configured forwarders only answering with one IPv4 adress. Where does my UCS get those adresses from?

Even if I unset dns/forwarder2 and 3, and set dns/forwarder1=1.2.3.4, it still reports the same 4 ipv6 and 4 ipv4 adresses, seemingly unfazed (even though with about 2-3 seconds of delay).

And yes, I do run systemctl restart bind9 after I change the variables.

Where should I look?

#2

Hi,

first: when you change UCR vbariables it does not do anything when just restartgin the service by systemctl restart. You should make sure your changes will be written to the correct configuration files.
So do:
ucr commit
followed by
systemctl restart bind9

Only then your variable changes will be seen by bind!

Additionally I am pretty sure bind requests not only for A but as well for AAA records. Same for your forwarder. Unless you do not have completely disabled IPv6 (which is meanwhile somehow difficult) you will get both records always.

For further troubleshooting you will need to post the commands you used to figure out the DNS replies here. Otherwise we cannot really help.

Greetings

/KNEBB

#3

Hi knebb,

I checked the bind configuration files directly after changing the variables, and they do get changed.

This was consequently not needed. After doing it, just to be sure, nothing changed.

This is something I should have mentioned. Our network doesn’t support IPv6, so I disabled it on the UCS.
It is just

sysctl net.ipv6.conf.all.disable_ipv6 = 1
sysctl net.ipv6.conf.default.disable_ipv6 = 1

right?
And of course that’s also made permanent in a sysctl config file under /etc/sysctl.

The command I used to query the DNS is mentioned above:

dig @localhost google.com

For the forwarders, it is

dig @[forwarder] google.com

I just noticed that the IPv6 Entries are only present in the ADDITIONAL SECTION, and there’s some entries in the AUTHORITY SECTION, both of which UCS shouldn’t be able to get, because all 3 of the forwarders don’t supply that, and UCS itself doesn’t have access to the www.

Greetings
IT-department of iPAT

Mastodon