Bug #13419


DNS updates do not work unless foreman server uses the authoritative DNS server as it's nameserver in resolv.conf

Added by Michael Eklund over 7 years ago. Updated about 7 years ago.

Target version:
Fixed in Releases:
Found in Releases:


If foreman is not using the authoritative name server as a nameserver entry in it's resolv.conf dns proxy calls will not work properly. We have nameserver recursors in our production envirioment, these forward our internal zones to our authoritative name servers. After foreman deleted the dns records I would never see any calls to create the records.

From a log perspective it looks like this:

On foreman server

2016-01-27T12:34:58 [app] [I] Delete the DNS A record for
2016-01-27T12:34:58 [app] [I] Delete the DNS PTR record for
2016-01-27T12:34:58 [app] [D] Fetching DNS reservation for

on foreman-proxy

D, [2016-01-27T12:34:58.089412 #24413] DEBUG -- : verifying remote client against trusted_hosts [""]
I, [2016-01-27T12:34:58.092718 #24413]  INFO -- : - - [27/Jan/2016 12:34:58] "DELETE /dns/ HTTP/1.1" 200 - 0.0034

D, [2016-01-27T12:34:58.178689 #24413] DEBUG -- : verifying remote client against trusted_hosts [""]
I, [2016-01-27T12:34:58.181471 #24413]  INFO -- : - - [27/Jan/2016 12:34:58] "DELETE /dns/ HTTP/1.1" 200 - 0.0029

It took me forever to figure out why I was never seeing any POST /dns calls on the proxy. The reason is because the dns records already exist in the dns recursor's cache, so it appears that the calls are bypassed by the following code

  def recreate_a_record
    set_dns_a_record unless dns_a_record.nil? || dns_a_record.valid?

  def recreate_ptr_record
    set_dns_ptr_record unless dns_ptr_record.nil? || dns_ptr_record.valid?

dns_a_record.valid? and dns_ptr_record.valid? return a false true from this code

      # Verifies that a record already exists on the dns server
      def valid?
        logger.debug "Fetching DNS reservation for #{self}" 
        self == dns_lookup(ip)

because they are talking to a cache and the TTL has not hit 0 yet.

Actions #1

Updated by Dominic Cleal over 7 years ago

  • Category set to DNS

The default behaviour is to query the authoritative servers (it looks these up via the SOA and NS for the zone), but it does use a recursor (per resolv.conf) if the query_local_nameservers setting (Administer > Settings) is changed from the default false to true.

Actions #2

Updated by Michael Eklund over 7 years ago

Confirmed this was the case. We were fronting our authdns with a recursor for caching. I would love a setting to force it to go by what the proxy says though.

Actions #3

Updated by Stephen Benjamin about 7 years ago

I'm not sure I understand the logic of reaching out to the authoritative nameservers - why is Foreman special and needing to bypass the system's DNS configuration?

It causes major problems anywhere that uses things like DNS sinkholes and disables access to anything but their own dns:


Also available in: Atom PDF