DNS resolution for specific external Subdomain returns 127.0.0.1

Hi,

as subject says, I am running into problem when I want to resolve download.microsoft.com
Output (on Primary Domaincontroller, which is also responsable for DNS) >>

nslookup download.microsoft.com

Server:		172.16.1.1
Address:	172.16.1.1#53

Non-authoritative answer:
download.microsoft.com	canonical name = 2-01-4ca6-0004.cdx.cedexis.net.
Name:	2-01-4ca6-0004.cdx.cedexis.net
Address: 127.0.0.1

dig download.microsoft.com

; <<>> DiG 9.10.3-P4-Univention <<>> download.microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64680
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;download.microsoft.com.		IN	A

;; ANSWER SECTION:
download.microsoft.com.	1378	IN	CNAME	2-01-4ca6-0004.cdx.cedexis.net.
2-01-4ca6-0004.cdx.cedexis.net.	1378 IN	A	127.0.0.1

;; AUTHORITY SECTION:
.			15263	IN	NS	m.root-servers.net.
.			15263	IN	NS	e.root-servers.net.
.			15263	IN	NS	d.root-servers.net.
.			15263	IN	NS	f.root-servers.net.
.			15263	IN	NS	h.root-servers.net.
.			15263	IN	NS	l.root-servers.net.
.			15263	IN	NS	c.root-servers.net.
.			15263	IN	NS	a.root-servers.net.
.			15263	IN	NS	j.root-servers.net.
.			15263	IN	NS	g.root-servers.net.
.			15263	IN	NS	k.root-servers.net.
.			15263	IN	NS	b.root-servers.net.
.			15263	IN	NS	i.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.	480015	IN	A	198.41.0.4
a.root-servers.net.	481121	IN	AAAA	2001:503:ba3e::2:30
b.root-servers.net.	518488	IN	A	199.9.14.201
b.root-servers.net.	8775	IN	AAAA	2001:500:200::b
c.root-servers.net.	524617	IN	A	192.33.4.12
c.root-servers.net.	48014	IN	AAAA	2001:500:2::c
d.root-servers.net.	511508	IN	A	199.7.91.13
d.root-servers.net.	524245	IN	AAAA	2001:500:2d::d
e.root-servers.net.	513785	IN	A	192.203.230.10
e.root-servers.net.	3015	IN	AAAA	2001:500:a8:: 
f.root-servers.net.	518362	IN	A	192.5.5.241
f.root-servers.net.	48014	IN	AAAA	2001:500:2f::f
g.root-servers.net.	524617	IN	A	192.112.36.4
g.root-servers.net.	3015	IN	AAAA	2001:500:12::d0d
h.root-servers.net.	510641	IN	A	198.97.190.53
h.root-servers.net.	48014	IN	AAAA	2001:500:1::53
i.root-servers.net.	524617	IN	A	192.36.148.17
i.root-servers.net.	48014	IN	AAAA	2001:7fe::53
j.root-servers.net.	482835	IN	A	192.58.128.30
j.root-servers.net.	48014	IN	AAAA	2001:503:c27::2:30
k.root-servers.net.	524617	IN	A	193.0.14.129
k.root-servers.net.	48014	IN	AAAA	2001:7fd::1
l.root-servers.net.	523920	IN	A	199.7.83.42
l.root-servers.net.	48014	IN	AAAA	2001:500:9f::42
m.root-servers.net.	524617	IN	A	202.12.27.33
m.root-servers.net.	48014	IN	AAAA	2001:dc3::35

;; Query time: 0 msec
;; SERVER: 172.16.1.1#53(172.16.1.1)
;; WHEN: Tue Sep 29 09:47:30 CEST 2020
;; MSG SIZE  rcvd: 891

host download.microsoft.com

download.microsoft.com is an alias for 2-01-4ca6-0004.cdx.cedexis.net.
2-01-4ca6-0004.cdx.cedexis.net has address 127.0.0.1
2-01-4ca6-0004.cdx.cedexis.net has IPv6 address ::1
2-01-4ca6-0004.cdx.cedexis.net is an alias for main.dl.ms.akadns.net.
main.dl.ms.akadns.net is an alias for download.microsoft.com.edgekey.net.
download.microsoft.com.edgekey.net is an alias for e3673.dscg.akamaiedge.net.

DNS Backend is Samba4 and when I resolve that name explicitely with defined DNS Forwarders it is working as expected.

What am I missing?

Kind regards,
Christian

Hi,

just guessing: have you tried to use something like PiHole? Or PiHole Servers?

You have already restarted your DNS service (systemctl restart bind9)?
Let us know configured DNS settings by ucr search --brief nameserver forwarder

/CV

Hi Christian,

thanks for your answer. No, there are no dns filters involved and a restart of bind9 did not solve the problem.

output of that command is:

dns/forwarder1: 91.239.100.100
dns/forwarder2: 176.9.93.198
dns/forwarder3: 46.182.19.48
dns/nameserver/registration/forward_zone:
dns/nameserver/registration/reverse_zone:
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: 172.16.1.1
nameserver2: 172.16.1.4
nameserver3:

Ok, all three configured forwarding servers reply properly.

Does the same happen on the second UCS server? If so, send the same output from this server.

Otherwise, do
host download.microsoft.com 172.16.1.1
host download.microsoft.com 172.16.1.4

Additionally, send /etc/hosts from the servers where failing. And the output of cat /etc/bind/*local*

/CV

Yes, all servers and clients behave the same way.
The output of hosts command is:

Using domain server:
Name: 172.16.1.1
Address: 172.16.1.1#53
Aliases: 

download.microsoft.com is an alias for 2-01-4ca6-0004.cdx.cedexis.net.
2-01-4ca6-0004.cdx.cedexis.net has address 127.0.0.1
2-01-4ca6-0004.cdx.cedexis.net has IPv6 address ::1

Using domain server:

Name: 172.16.1.4
Address: 172.16.1.4#53
Aliases: 

download.microsoft.com is an alias for 2-01-4ca6-0004.cdx.cedexis.net.
2-01-4ca6-0004.cdx.cedexis.net has address 127.0.0.1
2-01-4ca6-0004.cdx.cedexis.net has IPv6 address ::1

output of /etc/hosts/ on Domaincontroller

127.0.0.1	localhost

172.16.1.1	srv-00-01.domain.de srv-00-01

127.0.1.1	unassigned-hostname.unassigned-domain unassigned-hostname


::1    		localhost ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

output of /etc/bind/local on DomainController

;
; BIND data file for local loopback interface
;
$TTL	604800
@	IN	SOA	localhost. root.localhost. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	localhost.
@	IN	A	127.0.0.1
@	IN	AAAA	::1
# add local zones here
# add local zones here
# add local zones here
# add local zones, which have to be declared before the Samba 4 DLZ, here
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

Strange, indeed.

BTW: Please format your posts correctly. There are code blocks which should be marked as such! Difficult to read otherwise.

But 91.239.100.100 gives the correct address?
host download.microsoft.com 91.239.100.100

Can you change the DNS backend? If it is at “samba4” switch to ldap (or other way round):

ucr get dns/backend
samba4
ucr set dns/backend=ldap
systemctl restart bind9
host download.microsoft.com

OK, that is weird but the change to ldap as the DNS backend solved the problem.

Does this throw any new errors regarding some Active Directory functions? The DomainController is an AD compatible Controller.

Hmm, solved the problem just temporary. After a few minutes it changed back to old behaviour.

After switching back to samba4 as DNS backend it works but waiting a minute the name resolves once again to localhost

systemctl status bind9

Sep 29 13:25:49 srv-00-01 named[22052]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 29 13:25:49 srv-00-01 named[22052]: automatic empty zone: A.E.F.IP6.ARPA
Sep 29 13:25:49 srv-00-01 named[22052]: automatic empty zone: B.E.F.IP6.ARPA
Sep 29 13:25:49 srv-00-01 named[22052]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Sep 29 13:25:49 srv-00-01 named[22052]: automatic empty zone: EMPTY.AS112.ARPA
Sep 29 13:25:49 srv-00-01 named[22052]: configuring command channel from '/etc/bind/rndc.key'
Sep 29 13:25:49 srv-00-01 named[22052]: command channel listening on 127.0.0.1#953
Sep 29 13:25:49 srv-00-01 named[22052]: managed-keys-zone: loaded serial 0
Sep 29 13:25:49 srv-00-01 named[22052]: all zones loaded
Sep 29 13:25:49 srv-00-01 named[22052]: running

After a while of running bind9 it throws following errors:

Sep 29 13:30:25 srv-00-01 named[22119]: DNS format error from 46.182.19.48#53 resolving _msdcs.OURDOMAIN.de/NS for client 172.16.1.4#44204: Name OURDOMAIN.de (SOA) not subdomain of zone _msdcs.OURDOMAIN.de -- invalid response

I am unsure if this is related. You might have some very unusual misconfiguration in your DNS settings. It should never ask an external DNS server for _msdcs records of your domain! And the external server should never reply! I have no clue what it could be currently. I guess it is not only UCS related.

Do ucr commit /etc/bind/* ; systemctl restart bind9.

Then set the backend to samba4 and run /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Any errors there?

/CV

No errors and you may be correct with the misconfiguration. _msdcs resolved to one of our public ip’s. After changing that it now seems to work correctly

What I am just wondering is, that the DomainControllers entry for _msdcs (set as NS entry) now vanished (because of the switching between ldap/samba4?). This entry was not set by me, so it may be a default entry. What is that NS record for?

And after a while of correctly resolving this entry, it once again is broken. I did not change anything in the meantime.
After a little digging I found out that another domain download.windowsupdate.com does have the same weird resolving.

nslookup download.microsoft.com
Server:		172.16.1.1
Address:	172.16.1.1#53

Non-authoritative answer:
download.microsoft.com	canonical name = 2-01-4ca6-0004.cdx.cedexis.net.
Name:	2-01-4ca6-0004.cdx.cedexis.net
Address: 127.0.0.1

nslookup download.windowsupdate.com
Server:		172.16.1.1
Address:	172.16.1.1#53

Non-authoritative answer:
download.windowsupdate.com	canonical name = wu-fg-shim.trafficmanager.net.
wu-fg-shim.trafficmanager.net	canonical name = 2-01-3cf7-0009.cdx.cedexis.net.
Name:	2-01-3cf7-0009.cdx.cedexis.net
Address: 127.0.0.1

I am wondering if it has anything to do with that special CDN (cedexis) but I can’t imagine that the error is dependent of that.