1

to start - I am still looking around on site investigating answers that look like they may allow me to find solution to my problem, posting here definitely isn't my first stop to find a solution I have been trying things for a while today. Also - thank you for reading. I am working on an assignment for class where the object is to run a bind9 docker container as a DNS Load balancer to balance requests between two web servers using the round-robin method. So basically if I put in a request to the web server's domain name it will go to one web server's IP address, then the next request will go to next web server's IP address. I apologize if my terminology is a bit off, I'm still learning this stuff, but hopefully I've gotten the point across. I have been trying to use 2 Ubuntu 16.04 VMs for this, one with an httpd container running and one with httpd container and bind9 container running. I am able to get the web servers running, I'm able to connect to them using the host IP, and I'm also able to get the bind9 container running. The part I'm really having trouble with is actually getting the bind9 DNS container to take me to the web server(s) if I enter the domain name into the browser.

Here is the command I used to start the bind9 container: docker run -d --name=bind --dns=127.0.0.1 --publish=192.168.0.45:53:53/udp --publish=192.168.0.45:10000:10000 --volume=/srv/docker/bind:/data --env='ROOT_PASSWORD=SecretPassword' sameersbn/bind:latest

And the web servers are pretty straightforward I just bind the directory with my index.html file to /usr/local/apache2/htdocs and publish it to port 80 of host from port 80 of container.

All this has to be is a really simple setup on my local network so I don't need to register a domain name, I don't need mail servers or anything, ALL I NEED TO DO, is be able to use 'dig' to query the DNS server for the load balanced hostname, and have it resolve to the two different IP addresses of the web servers. Thank you for any guidance on this I would really appreciate a bit of help, I've looked at a ton of resources and I just don't know what's going wrong.

After I start the DNS server (bind9 container), I can use the command 'host google.com 172.x.x.x' and it returns the right info, 172.x.x.x is the IP of the docker container I guess, because my local network is 192.168.0.1/24. When I try to do the same command with the IP of the docker host, it says REFUSED. I tried editing ACL's, using webmin to add zones and address records, and I just couldn't get it working. I'll stop writing now hopefully I've given enough info, thank you for reading.

albudtron91
  • 11
  • 1
  • *Update: I used this command: \n `docker run -dit --dns=127.0.0.1 --publish=53:53/udp --publish=10000:10000 --publish=53:53/tcp --volume=/srv/docker/bind:/data --env='ROOT_PASSWORD=SecretPassword' --name=bind9 --hostname=bind9 --net=host sameersbn/bind:latest WARNING: Localhost DNS setting (--dns=127.0.0.1) may fail in containers. WARNING: Published ports are discarded when using host network mode` and the 'host' and 'dig' commands both worked! (I do realize it says that about the 'published ports'). Sorry for messiness, not too familiar with 'mini-Markdown' – albudtron91 Sep 08 '21 at 05:10
  • **OK!** I have _another update_; I have one docker webserver running (httpd container), and the dns server running on bind9 container, and I have the DNS records configured onto the dns server so that I'm able to use host command and my made-up domain name in the query and the reply tells me the host IP address (which is what I'm aiming for). Now I just need to spin up another docker container with webserver and configure load balancing on the DNS. I think if I just configure another DNS record linking domain name to different IP then round-robin should work? I would write the code but no room – albudtron91 Sep 08 '21 at 06:16
  • bind9 is doing round-robin by default, there is nothing special to configure there. However your question is mostly offtopic here as not related to programming. No matter where you post it, you might want to take some time to format it a little better so that it is easier to read. – Patrick Mevzek Sep 08 '21 at 18:57

1 Answers1

0

You didn't describe what 172.x.x.x is all about. It's unclear why it would be relevant at all. Please post dig output. The host command is nice enough, but seeing additional details will aid your debugging efforts.

You are shooting for output that resembles this:

$  dig +nottl a yahoo.com @8.8.8.8

; <<>> DiG 9.10.6 <<>> +nottl a yahoo.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50455
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;yahoo.com.     IN  A

;; ANSWER SECTION:
yahoo.com.      IN  A   74.6.143.25
yahoo.com.      IN  A   74.6.231.20
yahoo.com.      IN  A   74.6.231.21
yahoo.com.      IN  A   98.137.11.163
yahoo.com.      IN  A   98.137.11.164
yahoo.com.      IN  A   74.6.143.26

;; Query time: 62 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)

There are two things you want to see working.

(1.) Shell into the container and do a local dig query to obtain an answer from the local BIND server. We want to verify we can get a good answer in the "easy" case. Mess with the daemon's config until the answer looks sensible.

Also, use netstat -an and/or lsof -i:53 to verify the daemon issued a bind() for 0.0.0.0 or similarly appropriate address.

(2.) From the client of interest, send a dig query @192.168.0.45. If this fails, it's a network routing thing. While you're at it, verify that curl (or telnet) can hit TCP port 10000. You will find it convenient to use curl -i so you'll see the headers sent back by the webserver.

There's a slightly fine point here. You configured UDP 53, which is kind of good enough. But it's certainly not correct. DNS requires connectivity on TCP port 53, as well. Sometimes DNS answers are too big to fit within a single (unfragmented) UDP packet. Especially within a signed DNSSEC zone. When that happens, the nameserver sends a response marked "truncated", and client is expected to retry on TCP port 53. You may find that telnet 192.168.0.45 53 is a convenient way to verify connectivity.

J_H
  • 17,926
  • 4
  • 24
  • 44
  • Thank you very much, those troubleshooting tips should be very useful I'm going to give them a shot and then we'll see how it goes. Mostly I'm concerned with the bind was set for port 53 of docker host. I did say that the 172.x.x.x was the IP for the docker container though, when I look at the logs for the container that's where I found the 172.x.x.x address, but it is a very long post so I can understand if some things get missed. Again, thank you for taking the time to read my question and post some well thought out suggestions! My dig output has Answer: 0 I remember so that's an issue! – albudtron91 Sep 08 '21 at 04:09
  • I did have to stop the 'dnsmasq' service running on 0.0.0.0:53 tcp & udp on my host, so I guess that was part of what was messing things up earlier. Thank you very much for the input @J_H – albudtron91 Sep 08 '21 at 06:21