DNS queries not getting resolved from Primary node but gets resolved from Secondary node in HA pair
Article ID: CTX207564
Updated On:
Description
Nameservers are added on Netscaler using the "add dns nameserver" command (or) with GUI.
From CLI in some cases, the DNS Lookup gets failed on the Primary Node but resolves well on the Secondary
Non-working (Primary)
We see that the DNS query Request is going to Netscaler DNS cache loop-back IP not to nameserver IP:
Sample Output:
root@NS-LAB# nstcpdump.sh -n port 53 | grep internaldomain.com
Saving current trace data in file 'pipe' ... in TCPDUMP format
reading from file -, link-type EN10MB (Ethernet)
11:07:39.663339 IP 10.20.180.10.60334 > 127.0.0.2.53: 2442+ A? internaldomain.com. (28)
11:07:44.663970 IP 10.20.180.10.60334 > 127.0.0.2.53: 2442+ A? internaldomain.com. (28)
11:08:01.873362 IP 10.20.180.10.60208 > 127.0.0.2.53: 46721+ A? internaldomain.com. (28)
11:08:06.139980 IP 10.20.180.10.60208 > 127.0.0.2.53: 46721+ A? internaldomain.com. (28)
Saving current trace data in file 'pipe' ... in TCPDUMP format
reading from file -, link-type EN10MB (Ethernet)
11:07:39.663339 IP 10.20.180.10.60334 > 127.0.0.2.53: 2442+ A? internaldomain.com. (28)
11:07:44.663970 IP 10.20.180.10.60334 > 127.0.0.2.53: 2442+ A? internaldomain.com. (28)
11:08:01.873362 IP 10.20.180.10.60208 > 127.0.0.2.53: 46721+ A? internaldomain.com. (28)
11:08:06.139980 IP 10.20.180.10.60208 > 127.0.0.2.53: 46721+ A? internaldomain.com. (28)
Resolution
There is a difference between how DNS requests are sourced different from Primary and Secondary.
These issues are faced when PBR's are configured
If we do not have any SNIP in that subnet(<Next-Hop-IP>), this request would never be sent out from Netscaler
We can identify the following counters incrementing:
630 0 171185 26 3 pbr_hits _pbr(tPBR-Name)
631 0 486 1 0 dns_tot_Queries
632 0 21 1 0 dns_tot_ServerQueries
633 0 21 1 0 dns_err_NoDomains
634 0 42 2 0 tcp_err_noip
635 0 16 1 0 dns_err_NoDom dns_register_(PTR)
Solution:
Please check the configuration and confirm if there is any SNIP in the <Next-Hop-IP> subnet (this is the subnet of the -nexthop configured n PBR) and that should solve the issue.
- Primary Node:
- DNS handling goes to the service handlers and by default, Netscaler will initiate the DNS query from SNIP to backend Nameserver.
- Secondary Node:
- Just creates transparent NAT sessions and sends the requests with NSIP to configured DNS nameservers.
These issues are faced when PBR's are configured
- When the Primary node sends a DNS request, the service handler would call a function to select a SNIP and port. Netscaler will do a subnet lookup to find out which SNIP it has to select.
- This request hits a PBR as shown below and tries to select the SNIP from the PBR next hop.
add ns pbr PBR-Name ALLOW -srcIP = <Source-IP> -nextHop <Next-Hop-IP> -priority 40-kernelstate KernalStateOur DNS query matches the -srcIP as configured in PBR as above.
If we do not have any SNIP in that subnet(<Next-Hop-IP>), this request would never be sent out from Netscaler
We can identify the following counters incrementing:
630 0 171185 26 3 pbr_hits _pbr(tPBR-Name)
631 0 486 1 0 dns_tot_Queries
632 0 21 1 0 dns_tot_ServerQueries
633 0 21 1 0 dns_err_NoDomains
634 0 42 2 0 tcp_err_noip
635 0 16 1 0 dns_err_NoDom dns_register_(PTR)
Solution:
Please check the configuration and confirm if there is any SNIP in the <Next-Hop-IP> subnet (this is the subnet of the -nexthop configured n PBR) and that should solve the issue.
Problem Cause
If there are any PBR's added on Netscaler which matches the DNS query IP address details, then it will need the SNIP in the range of -nexthop as configured in PBR rule.
Was this article helpful?
Yes
No
Powered by
