primary DNS resolver in PHX not working for some domains
Description
Activity

Former user October 12, 2016 at 3:37 PM
removed OpenDNS from DHCP on foreman.phx so all machines should eventually get the new DNS setting. Closing the case.

Former user October 7, 2016 at 9:14 AM
The only thing why I would imagine we don't use Foreman is the fact that there's a crontab on it restarting BIND each hour (probably to sync the views as foreman does dynamic updates just to one of those). I'll just use google DNS for now.

Former user October 7, 2016 at 9:08 AM
Did some troubleshooting - indeed it only seems to be releated to OpenDNS (maybe it filters out private IPs?)
OpenDNS:
dig vm0002.workers-phx.ovirt.org @208.67.222.222
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> vm0002.workers-phx.ovirt.org @208.67.222.222
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 23788
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vm0002.workers-phx.ovirt.org. IN A;; Query time: 27 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 07 09:03:47 UTC 2016
;; MSG SIZE rcvd: 57
Google:
dig vm0002.workers-phx.ovirt.org @8.8.8.8
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> vm0002.workers-phx.ovirt.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 51742
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vm0002.workers-phx.ovirt.org. IN A;; ANSWER SECTION:
vm0002.workers-phx.ovirt.org. 3599 IN A 172.19.12.2;; Query time: 90 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 07 09:04:01 UTC 2016
;; MSG SIZE rcvd: 73
Foreman:
dig vm0002.workers-phx.ovirt.org @66.187.230.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> vm0002.workers-phx.ovirt.org @66.187.230.11
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 48174
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vm0002.workers-phx.ovirt.org. IN A;; ANSWER SECTION:
vm0002.workers-phx.ovirt.org. 3599 IN A 172.19.12.2;; AUTHORITY SECTION:
. 21475 IN NS i.root-servers.net.
. 21475 IN NS e.root-servers.net.
. 21475 IN NS c.root-servers.net.
. 21475 IN NS j.root-servers.net.
. 21475 IN NS f.root-servers.net.
. 21475 IN NS m.root-servers.net.
. 21475 IN NS l.root-servers.net.
. 21475 IN NS d.root-servers.net.
. 21475 IN NS k.root-servers.net.
. 21475 IN NS h.root-servers.net.
. 21475 IN NS a.root-servers.net.
. 21475 IN NS g.root-servers.net.
. 21475 IN NS b.root-servers.net.;; Query time: 249 msec
;; SERVER: 66.187.230.11#53(66.187.230.11)
;; WHEN: Fri Oct 07 09:05:24 UTC 2016
;; MSG SIZE rcvd: 284
all of these servers see the right zone serial, so it's something OpenDNS specific:
OpenDNS:
dig workers-phx.ovirt.org SOA @208.67.222.222
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> workers-phx.ovirt.org SOA @208.67.222.222
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 44276
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;workers-phx.ovirt.org. IN SOA;; AUTHORITY SECTION:
ovirt.org. 3600 IN SOA ns1.redhat.com. noc.redhat.com. 2016100601 3600 1800 604800 86400;; Query time: 27 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 07 09:06:49 UTC 2016
;; MSG SIZE rcvd: 114
Google:
dig workers-phx.ovirt.org SOA @8.8.8.8
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> workers-phx.ovirt.org SOA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 20816
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;workers-phx.ovirt.org. IN SOA;; AUTHORITY SECTION:
ovirt.org. 1799 IN SOA ns1.redhat.com. noc.redhat.com. 2016100601 3600 1800 604800 86400;; Query time: 185 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 07 09:07:18 UTC 2016
;; MSG SIZE rcvd: 104
Foreman:
dig workers-phx.ovirt.org SOA @66.187.230.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> workers-phx.ovirt.org SOA @66.187.230.11
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 40663
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;workers-phx.ovirt.org. IN SOA;; AUTHORITY SECTION:
ovirt.org. 1799 IN SOA ns1.redhat.com. noc.redhat.com. 2016100601 3600 1800 604800 86400;; Query time: 84 msec
;; SERVER: 66.187.230.11#53(66.187.230.11)
;; WHEN: Fri Oct 07 09:07:45 UTC 2016
;; MSG SIZE rcvd: 104
Details
Assignee
Former userFormer user(Deactivated)Reporter
Former userFormer user(Deactivated)Priority
Medium
Details
Details
Assignee

Reporter

As part of network reorganization I published a zone for new workers, and after a day it is still not resolvable by Jenkins so I can't make use of the new slaves.
Here are the two DNS servers sent by DHCP in the PHX datacenter:
nameserver 208.67.222.222
nameserver 8.8.8.8
The first one is OpenDNS and the second - Google Public DNS. We do not use the BIND instance we have on the Foreman proxy for some reason and the OpenDNS resolver fails for the new hostnames. We need to fix this.