Web lists-archives.com

Re: 9.2 DNS Confusion




On Thu, Nov 16, 2017 at 07:55:18PM +0000, Simon Slaytor wrote:
> Hi Folks,
> 
> Long time Debian user and up until now I've not had to reach out for help as
> I've always found the answer after a short Google.
> 
> I've recently made the move from 8.x to 9.2 for my production boxes and I'm
> having the mother of all DNS issues. My network is simple:
> 
> My network
> 2 x Juniper SSG-140 (Active/Passive) HA 1xTrust 1xDMZ 1xUntrust interfaces
> IPv4 only IPv6 is not enabled.
> 2 x Netgear GSM724 Switches
> 
> The Junipers do DNS proxying for the Trust and DMZ networks. Junipers are in
> NAT/Route mode.
> 
> Sitting onthe Trust network (172.16.11.0/24) are Debian 8.8 / 9.2 and
> Windoze 10 devices.
> Sitting in the DMZ network (192.168.102.0/24) are Debian 9.2 and Centos 7
> devices
> 
> My problem is this, after a vanilla 9.2 AMD 64 install DNS resolution 99
> times out of 100 fails unless I force IPv4 for example:
> 
> xxxx@backup:~$ su
> Password:
> root@backup:/home/xxxx# cat /etc/resolv.conf
> domain abc.com
> search abc.com.
> nameserver 172.16.11.1
> root@backup:/home/xxxx# ip ad
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
> default qlen 1000
>     link/ether ca:57:82:c2:51:ad brd ff:ff:ff:ff:ff:ff
>     inet 172.16.11.22/24 brd 172.16.11.255 scope global eth0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::c857:82ff:fec2:51ad/64 scope link
>        valid_lft forever preferred_lft forever
> root@backup:/home/xxxx# ping www.apple.com
> ping: www.apple.com: Temporary failure in name resolution
> root@backup:/home/xxxx# ping -4 www.apple.com
> PING e6858.dsce9.akamaiedge.net (2.18.170.28) 56(84) bytes of data.
> 64 bytes from 2.18.170.28: icmp_seq=1 ttl=50 time=19.3 ms
> 64 bytes from 2.18.170.28: icmp_seq=2 ttl=50 time=19.7 ms
> ^C
> --- e6858.dsce9.akamaiedge.net ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 19.311/19.508/19.705/0.197 ms
> root@backup:/home/xxxx#
> 
> The above box is in the Trust network however the same result occurs if I
> use a host in the DMZ.
> 
> If I however use a Centos 7 box everything works as expected e.g.
> 
> [root@loadbalancer ~]# cat /etc/resolv.conf
> # Generated by NetworkManager
> nameserver 192.168.102.1
> [root@loadbalancer ~]# ip ad
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
> 1000
>     link/ether 22:e7:41:55:a6:9c brd ff:ff:ff:ff:ff:ff
>     inet 192.168.102.10/24 brd 192.168.102.255 scope global eth0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::20e7:41ff:fe55:a69c/64 scope link
>        valid_lft forever preferred_lft forever
> [root@loadbalancer ~]# ping www.apple.com
> PING e6858.dsce9.akamaiedge.net (2.20.214.243) 56(84) bytes of data.
> 64 bytes from 2.20.214.243 (2.20.214.243): icmp_seq=1 ttl=55 time=28.4 ms
> 64 bytes from 2.20.214.243 (2.20.214.243): icmp_seq=2 ttl=55 time=28.4 ms
> ^C
> --- e6858.dsce9.akamaiedge.net ping statistics ---
> 3 packets transmitted, 2 received, 33% packet loss, time 2002ms
> rtt min/avg/max/mdev = 28.453/28.456/28.459/0.003 ms
> [root@loadbalancer ~]
> 
> Also Windoze 10 boxes running on the Trust network and Debian 8 boxes on
> both have no issues its purely the 9.2 boxes.
> 
> Any help would be much appreciated.

You can effectively disable IPv6 on a Debian box by editing
/etc/gai.conf and uncommenting the line:

precedence ::ffff:0:0/96  100

Does that make a difference for you?

-dsr-