Hi Everyone, I'm running into a weird DNS resolution problem (at home) for an external subdomain.
rogersbank.com can be looked up from my Fedora 40 host joined to a two server AlmaLinux 9 IdM domain: $ dig rogersbank.com ; <<>> DiG 9.18.28 <<>> rogersbank.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40375 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;rogersbank.com. IN A ;; ANSWER SECTION: rogersbank.com. 20 IN A 23.9.149.95 ;; Query time: 26 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Wed Aug 28 13:39:18 EDT 2024 ;; MSG SIZE rcvd: 5 But, the lookup for rbaccess.rogersbank.com fails: $ dig rbaccess.rogersbank.com ;; communications error to 127.0.0.53#53: timed out ;; communications error to 127.0.0.53#53: timed out ;; communications error to 127.0.0.53#53: timed out ; <<>> DiG 9.18.28 <<>> rbaccess.rogersbank.com ;; global options: +cmd ;; no servers could be reached It doesn't actually work from any of the IdM enrolled hosts or the IdM servers themselves. However, from outside my network, the name rbaccess.rogersbank.com resolves without issue. $ dig @8.8.8.8 rbaccess.rogersbank.com ; <<>> DiG 9.18.28 <<>> @8.8.8.8 rbaccess.rogersbank.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49010 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;rbaccess.rogersbank.com. IN A ;; ANSWER SECTION: rbaccess.rogersbank.com. 72 IN CNAME rbaccess.rogersbank.tsysecom.com. rbaccess.rogersbank.tsysecom.com. 0 IN A 67.231.80.94 ;; Query time: 48 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) ;; WHEN: Wed Aug 28 15:18:27 EDT 2024 ;; MSG SIZE rcvd: 111 Here are the errors from query_errors.log: (rbaccess.rogersbank.com): query failed (timed out) for rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 (rbaccess.rogersbank.com): query failed (timed out) for rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 (rbaccess.rogersbank.com): query failed (timed out) for rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 (rbaccess.rogersbank.tsysecom.com): query failed (SERVFAIL) for rbaccess.rogersbank.tsysecom.com/IN/A at ../../../lib/ns/query.c:6659 While trying to figure out what the problem is, I found the "authoritative nameserver" setting for the zone had the name of a decommissioned IdM host. I ran 'ipa-healthcheck --failures-only', got an error for "ipa-ca" missing one of my two IdM servers, updated the "authoritative nameserver" and saw no more DNS related failures reported by ipa-healthcheck. But, the DNS resolution for rbaccess.rogersbank.com is still failing. A couple of times the resolution has worked (ping was successful). I don't understand what's happening. Anyone have any tips that would help me narrow this down? Thanks. -- Ranbir -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
