MAAS version: 2.4.2-7034-g2f5deb8b8-0ubuntu1
There are some cases where we would like to disable recursion explicitly in BIND9 managed by MAAS.
- air-gapped installation with a local archive mirror server
- there is an external HTTP proxy to access to the Internet, but no local DNS server available (DNS resolution has to rely on the external HTTP proxy server)
Otherwise, the log is spammed with unreachable root DNS servers. Would be nice to have a knob to put "recursion no;" in BIND9 config:
https://git.launchpad.net/maas/tree/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
How to reproduce:
prepare one http proxy with squid, and another machine/container as MAAS host in the same network. Then, on the maas host:
## delete nameserver and the default gateway
$ sudo mv -v /etc/resolv.conf{,.bak}
$ sudo ip route del default
## confirm dns resolution does not work
$ sudo apt update
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease Temporary failure resolving 'security.ubuntu.com'
## add an external proxy
$ echo 'Acquire::http::proxy "http://10.0.8.2:8000/";' | sudo tee /etc/apt/apt.conf
## confirm dns resolution and Internet access through the proxy work
$ sudo apt update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
## install maas
$ sudo env http_proxy='http://10.0.8.2:8000/' https_proxy='http://10.0.8.2:8000/' apt-add-repository -u ppa:maas/stable
$ sudo apt install maas
Then you will see syslog is spammed with unreachable root servers.
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:500:84::b#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 198.41.0.4#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:500:2::c#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:7fd::1#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 192.5.5.241#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 198.97.190.53#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 199.7.83.42#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 192.58.128.30#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 2001:7fe::53#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 199.7.91.13#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 202.12.27.33#53
Nov 19 15:17:40 maas-no-direct-internet named[25244]: network unreachable resolving 'E.ROOT-SERVERS.NET/AAAA/IN': 192.228.79.201#53
Hi Nobuto,
Since in 2.5+ all the DNS traffic goes through the rack controller, can you please provide an example of what your expectation would be for 2.5+ ?
Is this expected to be done both for the rack & the region controller ?
Anyhow, targeting this as a feature request in the 'next' milestone.