DNS with overlay network

christianwo · January 4, 2022, 2:04pm

Hi,

I want to set up an overlay network for specific servers in my network but am struggling over dns service. The dns server (backend is samba4) has an up and running overlay network interface which is listening on port 53. dns queries from within that dns server over the overlay interface is working well but when I request that dns overlay ip from another client I get the error ** server can't find example.com: REFUSED What am I missing? Testing with univention-firewall disabled does not work either.

Kind regards,
Christian

pmhahn · August 22, 2022, 9:04am

Check UCR variables dns/allow/…, e.g. ucr seach ^dns/allow/ as they restrict which client can query the server for what information. DNS can be abused (by others) for DDoS attacks and as such UCS by default configures some restrictions.

christianwo · August 22, 2022, 1:22pm

Thanks for your reply. The variable dns/allow/query is set to any. But tooltip anyway says that this option is only active if dns/backend is set to ldap. But we are using samba4 dns backend.

pmhahn · October 13, 2022, 10:32am

The last Samba update Erratum 368 for UCS 5.0-2 seems to have an unintended change: It denies several DNS queries which where previously allowed.

Maybe this also affects your setup, but I do not know.

Debugging this here requires more information, e.g.

your network setup ip -c a and ip -c n
process listing: ps u $(pgrep -f named)
who’s listening on port 53: ss --udp -l -p 'sport = :domain'
Use dig @"$IP" "$(dnsdomainname)." any for all the server’s IPs as $IP to see if this work from you server itself plus any other remote hosts

christianwo · October 13, 2022, 2:29pm

Thanks for your time and your answer. We are still on UCS 4.4.

ip -c a gives output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 42:76:70:06:91:f6 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.4/22 brd 172.16.3.255 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::4076:70ff:fe06:91f6/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:8f:c4:9a:51 brd ff:ff:ff:ff:ff:ff
    inet 10.2.1.1/16 brd 10.2.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 100.64.0.61/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fe80::17c9:2224:3b3f:f224/64 scope link flags 800 
       valid_lft forever preferred_lft forever

ps u $(pgrep -f named) outputs

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      1265  0.7  2.3 900996 94312 ?        Ssl  00:02   7:30 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d

ss --udp -l -p 'sport = :domain' output:

State       Recv-Q Send-Q           Local Address:Port                            Peer Address:Port                
UNCONN      0      0                127.0.0.53%lo:domain                                     *:*                     users:(("systemd-resolve",pid=29397,fd=15))
UNCONN      0      0                  100.64.0.61:domain                                     *:*                     users:(("named",pid=1265,fd=521),("named",pid=1265,fd=520))
UNCONN      0      0                     10.2.1.1:domain                                     *:*                     users:(("named",pid=1265,fd=519),("named",pid=1265,fd=518))
UNCONN      0      0                   172.16.1.4:domain                                     *:*                     users:(("named",pid=1265,fd=517),("named",pid=1265,fd=516))
UNCONN      0      0                    127.0.0.1:domain                                     *:*                     users:(("named",pid=1265,fd=515),("named",pid=1265,fd=514))
UNCONN      0      0                           :::domain                                    :::*                     users:(("named",pid=1265,fd=513),("named",pid=1265,fd=512))

dig @100.64.0.61 $SOME_DNS_NAME any refuses connection. “Digging” on internal lan ip 172.16.1.4 is working.