DNS name resolution wierdness

Issues related to configuring your network
Post Reply
kanguru
Posts: 2
Joined: 2021/04/08 06:01:04

DNS name resolution wierdness

Post by kanguru » 2021/04/08 07:28:01

I'm new to CentOS 8, installing it under VMware from CentOS-Stream-8-x86_64-20210316-dvd1.iso with a NAT interface connecting me to the internet.

Mostly, it works as expected, but I have weird DNS issues, where host, dig and nslookup find what I want, but applications for some DNS names report "Name or service not known" (ping), "(6) Could not resolve host" (curl) or "Hmm. We’re having trouble finding that site" (firefox).

Nslookup and dig have no problems finding the names, nor do apps on the host system.

The addresses causing issues are releases.jfrog.io and yum.puppet.com which I want yum to use as repos. Other names like www.centos.org and serverfault.com work perfectly.

Note the errors from ping below:

Code: Select all

[user@server ~]$ for i in serverfault.com releases.jfrog.io yum.puppet.com www.centos.org ; do echo " "; echo "Testing" $i; host $i; ping -c 2 $i; done
 
Testing serverfault.com
serverfault.com has address 151.101.65.69
serverfault.com has address 151.101.129.69
serverfault.com has address 151.101.193.69
serverfault.com has address 151.101.1.69
PING serverfault.com (151.101.193.69) 56(84) bytes of data.
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=1 ttl=128 time=31.1 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=2 ttl=128 time=38.1 ms

--- serverfault.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.075/34.611/38.147/3.536 ms
 
Testing releases.jfrog.io
releases.jfrog.io is an alias for endpointdns-prod-use1-lb.jfrog.io.
endpointdns-prod-use1-lb.jfrog.io is an alias for a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com.
a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com has address 52.55.117.113
a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com has address 3.222.96.9
a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com has address 18.211.149.175
a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com has address 23.20.194.242
a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com has address 34.197.197.131
a239bd5ffc31c4061881e7379b84e385-1677123289.us-east-1.elb.amazonaws.com has address 34.200.112.168
ping: releases.jfrog.io: Name or service not known
 
Testing yum.puppet.com
yum.puppet.com is an alias for d1ge15oq8tiwk1.cloudfront.net.
d1ge15oq8tiwk1.cloudfront.net has address 13.224.179.115
d1ge15oq8tiwk1.cloudfront.net has address 13.224.179.39
d1ge15oq8tiwk1.cloudfront.net has address 13.224.179.61
d1ge15oq8tiwk1.cloudfront.net has address 13.224.179.63
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:9200:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:bc00:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:f800:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:0:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:1a00:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:4000:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:6c00:3:d41c:9440:93a1
d1ge15oq8tiwk1.cloudfront.net has IPv6 address 2600:9000:20ec:6e00:3:d41c:9440:93a1
ping: yum.puppet.com: Name or service not known
 
Testing www.centos.org
www.centos.org has address 35.178.203.231
www.centos.org has address 81.171.33.201
www.centos.org has address 81.171.33.202
www.centos.org has IPv6 address 2001:4de0:aaae::201
www.centos.org has IPv6 address 2001:4de0:aaae::202
www.centos.org has IPv6 address 2a05:d01c:c6a:cc02:e4d3:88b0:60da:6fb4
PING www.centos.org (81.171.33.201) 56(84) bytes of data.
64 bytes from ip-81.171.33.201.centos.org (81.171.33.201): icmp_seq=1 ttl=128 time=373 ms
64 bytes from ip-81.171.33.201.centos.org (81.171.33.201): icmp_seq=2 ttl=128 time=335 ms

--- www.centos.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 334.686/353.943/373.200/19.257 ms
I have disabled, IPV6, added "nameserver 8.8.8.8" to /etc/resolv.conf, confirmed nsswitch.conf has "hosts: files dns myhostname", checked that dig and nslookup agree with host, even used strace on ping where I see a connect to 8.8.8.8 and a large reply in return only to be told "Name or service not known".

What am I missing? What should I look at?

Kind regards,

k.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS name resolution wierdness

Post by TrevorH » 2021/04/08 10:35:35

Do you by any chance have a Cisco firewall between you and the DNS server?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

kanguru
Posts: 2
Joined: 2021/04/08 06:01:04

Re: DNS name resolution wierdness

Post by kanguru » 2021/04/09 01:38:42

I don't believe there's a firewall; just a cellular access point.

I've used tcpdump on the conversation and the full responses from 8.8.8.8 are being returned in the same way when I do an nslookup.

It looks as if the libc resolver just doesn't think some answers should get through.

I have added entries top /etc/hosts so I can still do work (indicating the 'files' part of nsswitch is working fine).

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS name resolution wierdness

Post by TrevorH » 2021/04/09 09:10:24

So the reason I asked about the firewall is that there is a known problem with the default config for Cisco when you have DNS inspection enabled (the default). It rejects any packets larger than 512 bytes unless it's specifically told to allow a larger size. For responses with a large number of entries like some of the ones you showed, that can easily exceed 512 bytes. I can't remember the parameter involved since I got shot of my Cisco ASA several years ago but it's an easy fix in the config to change that limit to 4096.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply