DNS queries from UCS systems in different subnets are refused by the Primary Directory Node
Problem:
In an UCS environment consisting of multiple Directory Nodes, DNS resolution from a system located in a different subnet fails with a REFUSED response, although network connectivity itself is fully functional.
You will find error messages in /var/log/syslog
root@pdn01:/var/log# tail syslog
2025-12-17T14:02:02.626218+01:00 pdn01 named[2795504]: client @0x7fe98be4f168 10.100.3.3#56252 (ucs-sso-ng.univention.intranet): query (cache) 'ucs-sso-ng.univention.intranet/A/IN' denied (allow-query-cache did not match)
2025-12-17T14:02:02.626742+01:00 pdn01 named[2795504]: client @0x7fe98cd6b168 10.100.3.3#44372 (ucs-sso-ng.univention.intranet): query (cache) 'ucs-sso-ng.univention.intranet/AAAA/IN' denied (allow-query-cache did not match)
2025-12-17T14:02:02.626781+01:00 pdn01 named[2795504]: client @0x7fe98cc31168 10.100.3.3#51471 (ucs-sso-ng.univention.intranet): query (cache) 'ucs-sso-ng.univention.intranet/AAAA/IN' denied (allow-query-cache did not match)
2025-12-17T14:02:02.626828+01:00 pdn01 named[2795504]: client @0x7fe98cd67168 10.100.3.3#36435 (ucs-sso-ng.univention.intranet): query (cache) 'ucs-sso-ng.univention.intranet/A/IN' denied (allow-query-cache did not match)
2025-12-17T14:02:57.130213+01:00 pdn01 named[2795504]: client @0x7fe98cd67168 10.100.3.2#59784 (google.com): query (cache) 'google.com/A/IN' denied (allow-query-cache did not match)
Environment:
The environment consists of three UCS servers:
Primary Directory Node (PDN)
- UCS version: 5.2-2 errata254
- IP address:
10.100.4.2
Backup Directory Node (BDN)
- UCS version: 5.2-2 errata254
- IP address:
10.100.4.3
Replica / Portal Server
- UCS version: 5.2-2 errata118
- IP address:
10.100.3.2
The PDN and BDN are located in the same subnet, while the Portal server is located in a different subnet.
Investigation:
Observed behavior
DNS queries from the BDN to the PDN work as expected:
dig +short google.com @10.100.4.2
172.217.19.78
DNS queries from the Portal server to the BDN also work correctly:
dig +short google.com @10.100.4.3
172.217.19.78
However, DNS queries from the Portal server to the PDN fail with a REFUSED response:
dig google.com @10.100.4.2
; <<>> DiG 9.18.33-1~deb12u2A~5.2.0.202501301650-Univention <<>> google.com @10.100.4.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48013
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d4ec50b8788e38ab010000006942a96a30352e8b8d32e8be (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 0 msec
;; SERVER: 10.100.4.2#53(10.100.4.2) (UDP)
;; WHEN: Wed Dec 17 13:55:40 CET 2025
;; MSG SIZE rcvd: 73
Log analysis on the Primary Directory Node
At the same time, the following messages appear in /var/log/syslog on the PDN:
query (cache) 'google.com/A/IN' denied (allow-query-cache did not match)
The source IP in these log messages corresponds to the Portal server (10.100.3.2).
Configuration state
The current value of the Univention Configuration Registry variable is:
ucr get dns/allow/query/cache
localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets
Network connectivity verification
Network connectivity itself is fully functional:
- ICMP (ping) works
- TCP and UDP port 53 are reachable
Example:
nmap -sU 10.100.4.2 -p 53
53/udp open domain
nmap 10.100.4.2 -p 53
53/tcp open domain
This confirms that the issue is not caused by a firewall or routing problem.
Root Cause
The DNS service (BIND) on the Primary Directory Node refuses recursive DNS queries from the Portal server’s subnet.
This happens because the Portal subnet is not permitted to use the DNS cache, as enforced by the BIND directive allow-query-cache.
As a result:
- Queries from systems in the same subnet as the PDN or covered by existing network ranges are accepted.
- Queries from the Portal subnet are rejected with
REFUSED, even though DNS is reachable.
In some installations, the issue can be aggravated by a missing or incomplete BIND configuration, caused by the univention-bind package not being installed on the Primary Directory Node.
Solution 1: Allow DNS cache access for the Portal subnet
Extend the allowed networks for recursive DNS queries by adding the Portal subnet to the UCR variable on the Primary DC dns/allow/query/cache.
Example:
ucr set dns/allow/query/cache="localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; 10.100.3.0/24; fc00::/7; fe80::/10; localnets"
systemctl restart bind9
After this change, DNS queries from the Portal server (10.100.3.2) to the Primary Directory Node (10.100.4.2) should be answered successfully.
See also:
Solution 2: Verify DNS backend and BIND installation
If the issue persists or the BIND configuration appears incomplete, verify the following points.
1. Check the DNS backend
Ensure that the DNS backend is correctly set to LDAP:
ucr get dns/backend
Expected value:
ldap
2. Verify that univention-bind is installed on the PDN
In this case, it was discovered that the package univention-bind was not installed on the Primary Directory Node.
This resulted in:
- Missing UCR templates
- Incomplete or missing configuration files such as
/etc/bind/named.confand/etc/bind/named.conf.proxy
An indicator for this problem was the following warning during a manual UCR commit:
ucr commit /etc/bind/named.conf.proxy
Warning: The file '/etc/univention/templates/files/etc/bind/named.conf.proxy' is not registered as an UCR template.
The template /etc/univention/templates/files/etc/bind/named.conf.proxy is provided by the univention-bind package.
If the package is missing, UCR variables affecting DNS access control are not rendered into the active BIND configuration.
3. Check if the package univention-bind is installed
dpkg -l | grep bind
ii bind9 1:9.18.41-1~deb12u1A~5.2.3.202510271207 amd64 Internet Domain Name Server
ii bind9-dnsutils 1:9.18.41-1~deb12u1A~5.2.3.202510271207 amd64 Clients provided with BIND 9
ii bind9-host 1:9.18.41-1~deb12u1A~5.2.3.202510271207 amd64 DNS Lookup Utility
ii bind9-libs:amd64 1:9.18.41-1~deb12u1A~5.2.3.202510271207 amd64 Shared Libraries used by BIND 9
ii bind9-utils 1:9.18.41-1~deb12u1A~5.2.3.202510271207 amd64 Utilities for BIND 9
ii libnet-libidn-perl 0.12.ds-4+b1 amd64 Perl bindings for GNU Libidn
ii libnet-libidn2-perl 1.01-2+b1 amd64 Perl bindings for GNU Libidn2
ii libnss-winbind:amd64 2:4.21.1-1A~5.2.0.202510131304 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.21.1-1A~5.2.0.202510131304 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.21.1-1A~5.2.0.202510131304 amd64 Samba winbind client library
ii python3-cracklib 2.9.6-5+b1 amd64 Python3 bindings for password checker library cracklib2
ii python3-ldb 2:2.10.0+samba4.21.1-1A~5.2.0.202510131304 amd64 Python 3 bindings for LDB
ii python3-lmdb 1.4.0-1+b1 amd64 Python 3 binding for LMDB Lightning Memory-Mapped Database
ii python3-lxml:amd64 4.9.2-1+b1 amd64 pythonic binding for the libxml2 and libxslt libraries
ii python3-nacl 1.5.0-2 amd64 Python bindings to libsodium (Python 3)
ii python3-pycurl 7.45.2-3 amd64 Python bindings to libcurl (Python 3)
ii python3-pyinotify 0.9.6-2 all simple Linux inotify Python bindings
ii python3-samba 2:4.21.1-1A~5.2.0.202510131304 amd64 Python 3 bindings for Samba
ii python3-systemd 235-1+b2 amd64 Python 3 bindings for systemd
ii python3-talloc:amd64 2.4.2-1 amd64 hierarchical pool based memory allocator - Python3 bindings
ii python3-tdb 1.4.12-1 amd64 Python3 bindings for TDB
ii rpcbind 1.2.6-6+b1 amd64 converts RPC program numbers into universal addresses
rc univention-bind 16.4.0 all UCS - DNS server
4. Install the missing package
Install the required package on the Primary Directory Node:
univention-install univention-bind
After installation, restart the DNS service:
systemctl restart bind9
This ensures that all relevant UCR variables are correctly applied to the BIND configuration /etc/bind/named.conf.proxy, including allow-recursion and allow-query-cache.
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry ueberschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/bind/named.conf.proxy
#
controls{
inet 127.0.0.1
allow { 127.0.0.1; };
};
options {
directory "/var/cache/bind";
listen-on { any; };
dnssec-validation no;
allow-query { any; };
allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
allow-query-cache { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
allow-transfer { any; };
listen-on-v6 { any; };
};
logging {
category lame-servers { null; };
category default{ default_syslog; };
channel default_syslog {
syslog daemon; # send to syslog's daemon facility
severity dynamic; # log at the server's current debug level
};
};
<skip>
Result
After applying Solution 1 and/or Solution 2:
- Recursive DNS queries from systems in different subnets are handled correctly
- The
REFUSEDresponses disappear - DNS resolution works consistently across all UCS nodes