1

The company's DC is in the Oracle Cloud, and I connect it to the companies via IPSec, and foward the DNS via Domain Override in pfSense or Bind9.

I recently picked up a Dream Machine from Ubiquiti to test in a smaller office, but I've been having a lot of trouble passing the DNS to this machine in Oracle.

I know there is no way to do this directly in UDM Pro, but even with Bind9 I couldn't, not even by putting the IP of the DC on the machine as DNS or using it as DIG I can ping the domain. Even doing dig with the machine name for the machine IP doesn't work. These tests work everywhere else.

root@srvcafdns:~# dig @<DC IP> domain.local

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @<DC IP> domain.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61401
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;domain.local.                   IN      A

;; AUTHORITY SECTION:
.                       86392   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023121101 1800 900 604800 86400

;; Query time: 10 msec
;; SERVER: <DC IP>#53(<DC IP>) (UDP)
;; WHEN: Mon Dec 11 16:11:32 -03 2023
;; MSG SIZE  rcvd: 115

root@srvcafdns:~# dig @<DC IP> DC_server_name

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @<DC IP> DC_server_name
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8298
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;DC_server_name.                                IN      A

;; AUTHORITY SECTION:
.                       86376   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023121101 1800 900 604800 86400

;; Query time: 20 msec
;; SERVER: <DC IP>#53(<DC IP>) (UDP)
;; WHEN: Mon Dec 11 16:11:48 -03 2023
;; MSG SIZE  rcvd: 110

root@srvcafdns:~# ping <DC IP>
PING <DC IP> (<DC IP>) 56(84) bytes of data.
64 bytes from <DC IP>: icmp_seq=1 ttl=60 time=9.71 ms
64 bytes from <DC IP>: icmp_seq=2 ttl=60 time=9.71 ms
64 bytes from <DC IP>: icmp_seq=3 ttl=60 time=9.85 ms
64 bytes from <DC IP>: icmp_seq=4 ttl=60 time=9.69 ms
^C
--- <DC IP> ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 9.689/9.742/9.854/0.065 ms

What can it be?

Improve this question
8
  • Can you try if you can query all the A records of that server for example dig A @dc-serverip
    – Turdie
    Commented Dec 11, 2023 at 19:28
  • Can you please check if dns traffic is allowed over the tunnel, you can use nc -zv domain-controller-ip 53. If the connection is successful then dns traffic is allowed
    – Turdie
    Commented Dec 11, 2023 at 19:35
  • I have DNS Forward configured in at least 11 locations and they are all working. In one of them he uses Bind9, and it also works. Even if I disable forwarding anywhere else and try to dig directly into the DC's IP, it works.
    – Raphael Aracelli
    Commented Dec 11, 2023 at 19:37
  • root@srvcafdns:~# nc -zv dc_ip 53 dc_ip: inverse host lookup failed: Unknown host (UNKNOWN) [dc_ip] 53 (domain) open
    – Raphael Aracelli
    Commented Dec 11, 2023 at 19:42
  • You don't need to twice the dc-server-ip. Only nc -zv dc_ip 53
    – Turdie
    Commented Dec 11, 2023 at 19:44

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .