Bug #2668

Foreman appears to be incorrectly checking the local resolvers rather than SOA

Added by Jon Fautley over 7 years ago. Updated about 3 years ago.

Target version:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:


It would appear that Foreman is checking the existence of DNS records (A/PTR, for provisioning) by querying the resolvers configured on the local system, rather than those configured in the managed zone's SOA.

This is irrespective of the setting of query_local_nameservers.

Related issues

Related to Foreman - Bug #13696: Rebuild Config deletes PTR records but does not add themNew2016-02-13
Has duplicate Foreman - Bug #3526: reverse_dns_record_attrs definition is missing the :resolver attributeDuplicate2013-10-26


#1 Updated by Dominic Cleal over 7 years ago

  • Assignee deleted (Dominic Cleal)

It looks like this is specifically on PTR records, the original error was: "Failed to save: Conflict DNS PTR Records<old.hostname> already exists"

I see app/models/orchestration/dns.rb queries the domain model for its SOA nameservers and gets a new DNS resolver with these configured, but doesn't do the equivalent for the subnet and reverse DNS zone.

#2 Updated by Dominic Cleal almost 7 years ago

  • Has duplicate Bug #3526: reverse_dns_record_attrs definition is missing the :resolver attribute added

#3 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #13696: Rebuild Config deletes PTR records but does not add them added

#4 Updated by Simon Wydooghe over 4 years ago

I can confirm this issue. I've got a dnsmasq server as my 'main' DNS, which Foreman uses. The Foreman host has a BIND server which only serves the domains managed by Foreman. The dnsmasq server forwards any requests to these domains to the BIND server. Caching on the dnsmasq server caused Foreman to believe there were conflicting PTR records. Turning off the caching on the dnsmasq server resolved the issue.

#5 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Description updated (diff)

I wonder why the Foreman is doing a DNS request at all. I thought the Proxy did this so it shouldn't be needed. This also requires that the foreman has an entire view of the system and while that's generally what you want with DNS, there are situations where firewalls can be in the way.

#6 Updated by Zdenek Janda about 3 years ago

  • Priority changed from Normal to Urgent
  • Difficulty set to trivial

I did hit into this now as well, this feature should be turned off entirely, or atleast add configuration possiblity to turn this off. Imagine this situation, you have in DNS *, which is CNAME to A Now you want to create with, but bum, Conflict IPv4 DNS record because it did resolve A And this is happening even when foreman has DNS proxy set for this subnet - instead doing it via proxy (which would work), it uses local resolver and everything is broken. I even added codewrap around that creates correct A record before foreman host is created, but this fails too, as it takes some time to DNS refresh so foreman can resolve it good, which again was workarounded by some sleep() but this all is just not right.

#7 Updated by Marek Hulán about 3 years ago

  • Priority changed from Urgent to Normal

Thanks for your comment, I'm afraid this does not qualify to Urgent Priority, so resetting it back.

Also available in: Atom PDF