Web lists-archives.com

Re[2]: 9.2 DNS Confusion




Hi Dan,

Yes my thoughts exactly I've tried numerous ways including the gai.conf mod to 'disable' IPv6 on 9.2 none seem all that successful in 9.2. e.g.

root@backup:/home/xxxx# cat /etc/gai.conf
# Configuration for getaddrinfo(3).
#
...
...
...
#
#precedence ::1/128 50
#precedence ::/0 40
#precedence 2002::/16 30
#precedence ::/96 20
#precedence ::ffff:0:0/96 10
#
# For sites which prefer IPv4 connections change the last line to
#
precedence ::ffff:0:0/96 100

#
# scopev4 <mask> <value>
# Add another rule to the RFC 6724 scope table for IPv4 addresses.
...
...
...
#scopev4 ::ffff:127.0.0.0/104 2
#scopev4 ::ffff:0.0.0.0/96 14

root@backup:/home/xxxx# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether ca:57:82:c2:51:ad brd ff:ff:ff:ff:ff:ff
    inet 172.16.11.22/24 brd 172.16.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::c857:82ff:fec2:51ad/64 scope link
       valid_lft forever preferred_lft forever
root@backup:/home/xxxx#

root@backup:/home/xxxx# ping www.google.com
ping: www.google.com: Temporary failure in name resolution
root@backup:/home/xxxx# ping -4 www.google.com
PING www.google.com (216.58.206.36) 56(84) bytes of data.
64 bytes from 216.58.206.36: icmp_seq=1 ttl=54 time=11.2 ms
64 bytes from 216.58.206.36: icmp_seq=2 ttl=54 time=11.2 ms
64 bytes from 216.58.206.36: icmp_seq=3 ttl=54 time=11.5 ms
64 bytes from 216.58.206.36: icmp_seq=4 ttl=54 time=11.3 ms
64 bytes from 216.58.206.36: icmp_seq=5 ttl=54 time=11.3 ms
^C
--- www.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 11.2

------ Original Message ------
From: "Dan Ritter" <dsr@xxxxxxxxxxxxxxxx>
To: "Simon Slaytor" <simon@xxxxxxxxxxx>
Cc: debian-user@xxxxxxxxxxxxxxxx
Sent: 17/11/2017 16:39:57
Subject: Re: 9.2 DNS Confusion

On Thu, Nov 16, 2017 at 07:55:18PM +0000, Simon Slaytor wrote:
Hi Folks,
 
Long time Debian user and up until now I've not had to reach out for help as
I've always found the answer after a short Google.
 
I've recently made the move from 8.x to 9.2 for my production boxes and I'm
having the mother of all DNS issues. My network is simple:
 
My network
2 x Juniper SSG-140 (Active/Passive) HA 1xTrust 1xDMZ 1xUntrust interfaces
IPv4 only IPv6 is not enabled.
2 x Netgear GSM724 Switches
 
The Junipers do DNS proxying for the Trust and DMZ networks. Junipers are in
NAT/Route mode.
 
Sitting onthe Trust network (172.16.11.0/24) are Debian 8.8 / 9.2 and
Windoze 10 devices.
Sitting in the DMZ network (192.168.102.0/24) are Debian 9.2 and Centos 7
devices
 
My problem is this, after a vanilla 9.2 AMD 64 install DNS resolution 99
times out of 100 fails unless I force IPv4 for example:
 
xxxx@backup:~$ su
Password:
root@backup:/home/xxxx# cat /etc/resolv.conf
domain abc.com
search abc.com.
nameserver 172.16.11.1
root@backup:/home/xxxx# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
    link/ether ca:57:82:c2:51:ad brd ff:ff:ff:ff:ff:ff
    inet 172.16.11.22/24 brd 172.16.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::c857:82ff:fec2:51ad/64 scope link
       valid_lft forever preferred_lft forever
root@backup:/home/xxxx# ping www.apple.com
ping: www.apple.com: Temporary failure in name resolution
root@backup:/home/xxxx# ping -4 www.apple.com
PING e6858.dsce9.akamaiedge.net (2.18.170.28) 56(84) bytes of data.
64 bytes from 2.18.170.28: icmp_seq=1 ttl=50 time=19.3 ms
64 bytes from 2.18.170.28: icmp_seq=2 ttl=50 time=19.7 ms
^C
--- e6858.dsce9.akamaiedge.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 19.311/19.508/19.705/0.197 ms
root@backup:/home/xxxx#
 
The above box is in the Trust network however the same result occurs if I
use a host in the DMZ.
 
If I however use a Centos 7 box everything works as expected e.g.
 
[root@loadbalancer ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.102.1
[root@loadbalancer ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
    link/ether 22:e7:41:55:a6:9c brd ff:ff:ff:ff:ff:ff
    inet 192.168.102.10/24 brd 192.168.102.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20e7:41ff:fe55:a69c/64 scope link
       valid_lft forever preferred_lft forever
[root@loadbalancer ~]# ping www.apple.com
PING e6858.dsce9.akamaiedge.net (2.20.214.243) 56(84) bytes of data.
64 bytes from 2.20.214.243 (2.20.214.243): icmp_seq=1 ttl=55 time=28.4 ms
64 bytes from 2.20.214.243 (2.20.214.243): icmp_seq=2 ttl=55 time=28.4 ms
^C
--- e6858.dsce9.akamaiedge.net ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2002ms
rtt min/avg/max/mdev = 28.453/28.456/28.459/0.003 ms
[root@loadbalancer ~]
 
Also Windoze 10 boxes running on the Trust network and Debian 8 boxes on
both have no issues its purely the 9.2 boxes.
 
Any help would be much appreciated.
 
You can effectively disable IPv6 on a Debian box by editing
/etc/gai.conf and uncommenting the line:
 
precedence ::ffff:0:0/96  100
 
Does that make a difference for you?
 
-dsr-