5

I have latest clean Ubuntu 14.04.1 64-bit from official website installed in Virtualbox. I connect to a VPN network using vpnc that sets 2 DNS servers using DHCP:

user@virtual:~$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.88.94.1
nameserver 8.8.8.8
nameserver 10.40.0.1

Where 10.88.94.1 and 8.8.8.8 are returned by vpn dhcp and 10.40.0.1 is returned by lan dhcp. The first DNS server returned by vpn dhcp is configured as authoritative, non-recursive name server for some internal names.

The problem is - Ubuntu somehow ignores the authoritative flag and discard valid response becouse it's non-recursive:

user@virtual:~$ nslookup
> video.something.com
;; Got recursion not available from 10.88.94.1, trying next server
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   video.something.com
Address: 180.112.94.1

As tcpdump clearly shows the answer from first DNS server have 'authoritative' flag set, but somehow it is ignored ('*' in second response is for "authoritative", '-' is for "non-recursive"):

13:23:44.505098 IP 10.40.130.209.44159 > 10.88.94.1.domain: 63790+ A? video.something.com. (32)
13:23:44.506285 IP 10.88.94.1.domain > 10.40.130.209.44159: 63790*- 1/0/0 A 10.88.94.12 (48)
13:23:44.506390 IP 10.40.130.209.45437 > 8.8.8.8.domain: 63790+ A? video.something.com. (32)
13:23:44.608414 IP 8.8.8.8.domain > 10.40.130.209.45437: 63790 1/0/0 A 180.112.94.1 (48)

Same setup works as expected (first DNS result is used) on both Windows and OSX. But not on Ubuntu. Is it something i can fix in Ubuntu in order for authoritative responses to be processed crrectly regardless of "non-recursive" flag or it is completely broken and where is nothing i can do?

grigoryvp
  • 3,655
  • 11
  • 39
  • 59
  • 1
    Have you tried just that DNS server, ignoring all others? Failing that, I'd try setting up your own DNS stub that points to 10.88.. for that domain. – Grizly Sep 23 '14 at 07:45
  • @Grizly Both DNS servers are corporate and not under my control. Is it any way to change behavior on client-side so it will be more RFC-compliant (authoritative answers don't need to be recursive). – grigoryvp Sep 23 '14 at 09:00
  • This is very strange. I just tried your same configuration in Fedora 19 with no problems whatsoever, authoritative answers are accepted even though they are not recursive. Name resolving is performed by glibc, which is common on all linuxes (versions may vary of course), so I don't get why you are having these issues. – Migtor Sep 24 '14 at 07:33
  • 1
    As a workaround, you may install a local dnscache on your client machine. One that is very easy to configure is dnsmasq: you can set it to forward queries depending on domain, etc. – Migtor Sep 24 '14 at 07:34
  • @Migtor, yeah, that's kinda what I meant. ;-) – Grizly Sep 24 '14 at 22:51

2 Answers2

4

The kind of fallback behavior you seem to expect is not part of how DNS is supposed to work. The second nameserver in resolv.conf should only be contacted in the event that the first does not respond or there is some other sort of network error.

Microsoft have apparently done their own thing, and it certainly is useful for what you are trying to do, but it should not be relied upon for setting up a VPN. Microsoft also has a notion of using different name resolution for different network interfaces.

If you can't influence the VPN configuration, your best bet on Linux might be to set up your own nameserver which decides where to forward requests to by domain.

mc0e
  • 5,866
  • 18
  • 31
  • Is it any RFC or documentation that states how client must react on authoritative response without RA flag? – grigoryvp Sep 25 '14 at 05:13
  • @mc0e but if I understood correctly, the main issue is that the first valid DNS response is being discarded, apparently because of being non-recursive (just maybe). Also, what is puzzling me is that I have been unable to reproduce those issues. Glibc should do the same thing everywhere... – Migtor Sep 25 '14 at 06:38
  • @Migtor I think you'll find it's not glibc, but a separate resolver library, perhaps the one that ISC distribute as part of bind, though presumably separately packaged by ubuntu. As of IPv6 lwresd may be involved as well. nslookup's behavior does not look to me like standard resolver behavior, but then it's not a standard resolver, it's a diagnostic tool. (It's also long been deprecated). – mc0e Sep 25 '14 at 12:31
  • 1
    @mc0e but I imagine @EyeofHell performed other tests apart from `nslookup` and experienced the same behaviour... For example a `ping` will resolve using standard libs. Normally I use `dig` for debugging DNS issues, or `dnsq` if djbdns is installed. Could you reproduce this behaviour with other tools, @EyeofHell? – Migtor Sep 26 '14 at 08:40
0

In order for DNS recursion to work for an Ubuntu bind9 server, you would ensure the following lines are in /etc/bind/named.conf.options on the DNS server:

    recursion yes;
    allow-recursion { any; };

With that said, you claim that you do not have access to the DNS servers. In that case, have you considered changing the order of your DNS servers? For example, if you take you last DNS entry of...

nameserver 10.40.0.1

and put it in a file at /etc/resolvconf/resolv.conf.d/head, then run the resolvconf -u command, the entry would then be automatically added to the top of /etc/resolv.conf. What this does is make 10.40.0.1 the first DNS server to use, and then it checks the VPN records after that (assuming that 10.40.0.1 allows for DNS recursion).

KLaw
  • 109
  • 2
  • This is incorrect. If the first name server answers at all, the second is not queried. – mc0e Sep 25 '14 at 19:50