Bug #2720
closed
smart-proxy DNS doesn't work with multiple DNS servers because of default value for 'dns_server' option
Description
Docs http://theforeman.org/manuals/1.2/index.html part 4.3.2 - DNS section says this:
The dns_server option is used if the Smart-Proxy is not located on the same physical host as the DNS server. If it is not specified then localhost is presumed.
The problem is that the default value localhost breaks the auto-detection logic inside nsupdate. This prevents smart-proxy from updating records on multiple DNS servers.
See manual page for nsupdate - section INPUT FORMAT:
server {servername} [port]
Sends all dynamic update requests to the name server servername. When no server statement is provided, nsupdate will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. port is the port number on servername where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
IMHO there should not be any default value and server statement should be omitted by default.
Updated by Ohad Levy almost 11 years ago
right.. at the moment a single proxy can manage a single dns server.
Updated by Stephen Benjamin about 10 years ago
- Related to Tracker #5409: DNS Proxy Improvements added
Updated by
Updated by Dominic Cleal almost 9 years ago
- Project changed from Foreman to Smart Proxy
- Description updated (diff)
- Category changed from DNS to DNS
- Difficulty changed from trivial to easy
I'd suggest this should be configurable, since like Foreman's own option to use local resolvers, having it go directly to the server without relying on external DNS setup may help in some circumstances.
Updated by Dominic Cleal almost 9 years ago
- Has duplicate Feature #10274: Add option to avoid sending server statement to nsupdate added
Updated by Sven Lueder about 6 years ago
I ran into the same issue documented here.
Letting nsupdate / DNS subsystem sorting out which server to use to update the DNS record seems to be a better approach in a more complex DNS setup.
cd /usr/share/foreman-proxy/modules/dns_nsupdate
patch -p0 /usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb << '@EOF'
- dada 2018-04-22 07:35:50.140177410 +0200
--- dns_nsupdate_main.rb 2018-04-03 13:04:42.000000000 +0200 ******* - 39,46 **
nsupdate_cmd = "#{@nsupdate} #{nsupdate_args}"
logger.debug "running #{nsupdate_cmd}"
@om = IO.popen(nsupdate_cmd, "r+")
! logger.debug "nsupdate: executed - server #{@server}"
! @om.puts "server #{@server}"
end
def nsupdate_disconnect
--- 39,46 ----
nsupdate_cmd = "#{@nsupdate} #{nsupdate_args}"
logger.debug "running #{nsupdate_cmd}"
@om = IO.popen(nsupdate_cmd, "r+")
! # logger.debug "nsupdate: executed - server #{@server}"
! # @om.puts "server #{@server}"
enddef nsupdate_disconnect
@EOF
Updated by Sven Lueder about 6 years ago
seems to me that i need to get used to the automated formatting applied ...
sorry for that
here the same snippet as above suitable for copy / paste:
cd /usr/share/foreman-proxy/modules/dns_nsupdate
patch -p0 /usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb << '@EOF'
*** dada 2018-04-22 07:35:50.140177410 +0200
--- dns_nsupdate_main.rb 2018-04-03 13:04:42.000000000 +0200
***************
*** 39,46 ****
nsupdate_cmd = "#{@nsupdate} #{nsupdate_args}"
logger.debug "running #{nsupdate_cmd}"
@om = IO.popen(nsupdate_cmd, "r+")
! logger.debug "nsupdate: executed - server #{@server}"
! @om.puts "server #{@server}"
end
def nsupdate_disconnect
--- 39,46 ----
nsupdate_cmd = "#{@nsupdate} #{nsupdate_args}"
logger.debug "running #{nsupdate_cmd}"
@om = IO.popen(nsupdate_cmd, "r+")
! # logger.debug "nsupdate: executed - server #{@server}"
! # @om.puts "server #{@server}"
end
def nsupdate_disconnect
@EOF
Updated by Lukas Zapletal over 5 years ago
Sven, thanks for the patch. Are you willing to file PR into https://github.com/theforeman/smart-proxy/pulls so we can review? It will involve writing a test.
Updated by The Foreman Bot over 5 years ago
- Status changed from New to Ready For Testing
- Assignee set to Lukas Zapletal
- Pull request https://github.com/theforeman/smart-proxy/pull/602 added
Updated by Lukas Zapletal about 4 years ago
- Status changed from Ready For Testing to New
- Pull request deleted (
https://github.com/theforeman/smart-proxy/pull/602)
There are some concerns about setting validations, I don't have time for this.
Updated by Ewoud Kohl van Wijngaarden about 4 years ago
- Assignee deleted (
Lukas Zapletal) - Difficulty deleted (
easy)
This isn't easy since the conflict detection also depends on a DNS server. In case a recursor is used, TTLs may get in the way and results become unpredictable.
Updated by Lukas Zapletal about 4 years ago
- Triaged changed from No to Yes
- Status changed from New to Rejected
Ewoud comment:
Note that conflict detection (which depends on `dns_server` for various providers) would be very unreliable with that patch. dns_dnscmd is one of those. The implication is that you would have a recursor that looks at DNS records. Since a recursor will cache records, conflict detection will look at old records. TTLs of a day are not that uncommon so errors can show up for problems that are already solved.
You also have no control on the Foreman side where a domain ends up. I’d recommend multiple smart proxies so in Foreman it’s clear exactly where a domain lives.
https://community.theforeman.org/t/multiple-dns-servers-with-dnscmd-smart-proxy-provider/18010