Not able to resolve names with a network zone

pmarini · November 8, 2024, 1:17pm

Hello,

I’m trying to have the same setup as the one specified in the tutorial found in this page.

The end goal is to get a deeper understanding on how network zones work and to have my SMTP agent to resolve correctly the PTR record on the internal address.

Everything looks ok, I can do a nsd-control transfer in the local nameserver but a forward DNS query gives me an error (my domain is localenv.com and the name of the container is c1):

Here is an overview of the network related elements:

$ lxc --version
6.1

$ lxc ls status=running
+------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| NAME |  STATE  |         IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| c1   | RUNNING | 10.19.222.55 (eth0)  | fd42:f0cb:4a2a:12d7:216:3eff:fe4d:1b61 (eth0) | CONTAINER | 0         |
+------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| ns1  | RUNNING | 10.19.222.235 (eth0) | fd42:f0cb:4a2a:12d7:216:3eff:fe6a:7d46 (eth0) | CONTAINER | 0         |
+------+---------+----------------------+-----------------------------------------------+-----------+-----------+

$ lxc network zone show localenv.com
name: localenv.com
description: ""
config:
  dns.nameservers: ns1.localenv.com
  peers.ns1.address: 10.19.222.235
used_by:
- /1.0/networks/testbr0

$ lxc config show
config:
  core.dns_address: 10.19.222.1:8853
  core.https_address: '[::]:8443'
  core.metrics_address: '[::]:8444'

$ lxc network show testbr0
name: testbr0
description: ""
type: bridge
managed: true
status: Created
config:
  dns.zone.forward: localenv.com
  ipv4.address: 10.19.222.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:f0cb:4a2a:12d7::1/64
  ipv6.nat: "true"
used_by:
- /1.0/instances/c1?project=testing
- /1.0/instances/ns1?project=testing
- /1.0/profiles/prf-test
locations:
- none


root@ns1:~# host c1.localenv.com 10.19.222.235
Using domain server:
Name: 10.19.222.235
Address: 10.19.222.235#53
Aliases: 

Host c1.localenv.com not found: 3(NXDOMAIN)

I’m new to nsd and network zones, so I’d greatly appreciate your guidance on how I can debug this.

pedro-rib · November 11, 2024, 3:28am

I did a similar process and I was able to see the expected record for the instance using dig.
So first, I think we can confirm whether the record you are looking for exists by running:

dig @10.19.222.235 axfr localenv.com | grep c1.localenv.com

If this shows the record you are expecting, that is a sign that it is set up correctly, but for some reason the host command can’t get it.
Tbh I am not super familiar with this command but I can try to help you debug if that ends up being the case :))

pmarini · November 11, 2024, 3:45pm

Thanks @pedro-rib for your help!

It seems it doesn’t:

root@c1:~# dig @10.19.222.235 axfr localenv.com

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @10.19.222.235 axfr localenv.com
; (1 server found)
;; global options: +cmd
; Transfer failed.

Can you please share more details about your system? LXD version, host and guest system… So that I can create a test environment from scratch.

pedro-rib · November 11, 2024, 8:19pm

You are more then welcome!

It looks like you are getting Transfer failed for dig because you don’t have a peers.*.address set up for the c1 container as it seems you have on ns1.
Either way, I will outline my steps below, all using latest/edge on Ubuntu 22.04:

$ lxc config set core.dns_address :6053
$ lxc network zone create lxd.example.net
$ lxc network set lxdbr0 dns.zone.forward="lxd.example.net"
$ dig @127.0.0.1 -p 6053 axfr lxd.example.net # I can see the records from the host
$ lxc exec v1 -- dig @127.0.0.1 -p 6053 axfr lxd.example.net # results in Transfer failed 
$ lxc network zone set lxd.example.net peers.v1.address=10.10.197.53
$ lxc exec v1 -- dig @127.0.0.1 -p 6053 axfr lxd.example.net # works fine!

pmarini · November 13, 2024, 9:15am

Hello,
I was able to partially use the DNS as described in the tutorial and video mentioned in the issue. However I wasn’t able to resolve a PTR record defined via the lxc network zone record create command.
My main use case is double:

to have local containers to resolve hostnames of local services to a local reverse proxy
define the PTR record of a container hosting a mail server
So, using a single LXD server, this is done by having a local DNS server (in my case: technitium) with a forward and reverse zone for the domain in use.

With a LXD network zone combined with a DNS server I’d have the benefit to avoid defining records for new containers as this would be done automatically. But at this point this seems too complex and not documented as I’d expect.

Thanks for the help @pedro-rib !

pedro-rib · November 19, 2024, 4:32pm

No worries @pmarini! I do think LXD can cover your use case just fine if we manage to track how it differs from the network zone tutorial you followed. Regardless of what you use, I wish success for you and I am available for any further help you may need

tomp · November 20, 2024, 10:31am

LXD will only allow AXFR transfer to client addresses in peers.ns1.address so I would suggest double checking (perhaps using tcpdump) that the dig request coming to LXD does indeed appear to come from the expected source address 10.19.222.235.

Also try adding -p 8853 to the dig command to check the correct port is being used too.