MAAS

[feature] No option to disable recursion in MAAS managed BIND9

Bug #1804015 reported by Nobuto Murata
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Invalid
Undecided
Unassigned

Bug Description

MAAS version: 2.4.2-7034-g2f5deb8b8-0ubuntu1

There are some cases where we would like to disable recursion explicitly in BIND9 managed by MAAS.

- air-gapped installation with a local archive mirror server
- there is an external HTTP proxy to access to the Internet, but no local DNS server available (DNS resolution has to rely on the external HTTP proxy server)

Otherwise, the log is spammed with unreachable root DNS servers. Would be nice to have a knob to put "recursion no;" in BIND9 config:
https://git.launchpad.net/maas/tree/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template

How to reproduce:

prepare one http proxy with squid, and another machine/container as MAAS host in the same network. Then, on the maas host:

## delete nameserver and the default gateway
$ sudo mv -v /etc/resolv.conf{,.bak}
$ sudo ip route del default

## confirm dns resolution does not work
$ sudo apt update
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease Temporary failure resolving 'security.ubuntu.com'

## add an external proxy
$ echo 'Acquire::http::proxy "http://10.0.8.2:8000/";' | sudo tee /etc/apt/apt.conf

## confirm dns resolution and Internet access through the proxy work
$ sudo apt update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease

## install maas
$ sudo env http_proxy='http://10.0.8.2:8000/' https_proxy='http://10.0.8.2:8000/' apt-add-repository -u ppa:maas/stable

$ sudo apt install maas

Then you will see syslog is spammed with unreachable root servers.

Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:500:84::b#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 198.41.0.4#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:500:2::c#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:7fd::1#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 192.5.5.241#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 198.97.190.53#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 199.7.83.42#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 192.58.128.30#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:7fe::53#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 199.7.91.13#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 202.12.27.33#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 192.228.79.201#53

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Nobuto,

Since in 2.5+ all the DNS traffic goes through the rack controller, can you please provide an example of what your expectation would be for 2.5+ ?

Is this expected to be done both for the rack & the region controller ?

Anyhow, targeting this as a feature request in the 'next' milestone.

Changed in maas:
status: New → Triaged
milestone: none → next
summary: - No option to disable recursion in MAAS managed BIND9
+ [feature] No option to disable recursion in MAAS managed BIND9
tags: added: wishlist
Revision history for this message
Nobuto Murata (nobuto) wrote :

> Since in 2.5+ all the DNS traffic goes through the rack controller, can you please provide an example of what your expectation would be for 2.5+ ?
>
> Is this expected to be done both for the rack & the region controller ?

Do you have an architectural diagram to cover the new DNS traffic? Are both region and rack controller going to run DNS servers? Or just moving DNS on region previously to rack?

I suppose the latter, but in any case a knob of "recursion no;" should go to this template:
https://git.launchpad.net/maas/tree/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template

Revision history for this message
Andres Rodriguez (andreserl) wrote :

@Nobuto,

All the traffic is now proxy through the rack controller (Please refer to the announcements on [1]). That means that all DNS, HTTP, Squid, etc, is now proxied.

The rack DNS is now configured very similar, with the exception that the zone management still remains in the Region, but the rack config defines all regions as forwarders. A rack config will look like this:

forwarders {
    region-ip-1;
    region-ip-2;
};

dnssec-validation no;

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

Where 'trusted' is the ACL of subnets/hosts that are allowed to access DNS from. Note that if the region/rack are in the same subnet as facing the machine, there's a possibility that both region/rack will be used as DNS resolvers for deployed machines

[1]: https://discourse.maas.io/c/news

Anyway, let me know when you have a chance to investigate and see what would work for you on 2.5, given that proxying through the rack was a field requested feature, and this request has a potential to impact how this gets configured in split configurations.

Andres Rodriguez (andreserl)
tags: added: enhacement
Revision history for this message
Adam Collard (adam-collard) wrote :

This bug has not seen any activity in the last 6 months, so it is being automatically closed.

If you are still experiencing this issue, please feel free to re-open.

MAAS Team

Changed in maas:
status: Triaged → Invalid
Björn Tillenius (bjornt)
Changed in maas:
milestone: next → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.