DNS forwarder occasionally stops forwarding

capra · May 5, 2023, 7:44pm

Hi, I’m pretty new to VyOS. I like it a lot so far, but I’m having some trouble with DNS resolution an wonder if I did something wrong.

Brief overview of my setup:

I have two VyOS (nightly) routers with VRRP and two piholes in my LAN.
The routers have the piholes configured as their DNS-Servers and the DNS Forwarding Service is set to listen on the VIP-addresses and use the system-dns.

This works fine for a limited amount of time, after which the routers stop forwarding queries to the piholes and start answering requests with NXDomain.
In this tcpdump the router answers the query right away without sending one to pihole:

16:56:20.781138 eth1  In  IP 192.168.1.183.57236 > fw.localdomain: 46956+ A? libreddit.localdomain. (33)
16:56:20.781138 eth1  In  IP 192.168.1.183.57236 > fw.localdomain: 50016+ AAAA? libreddit.localdomain. (33)
16:56:20.781336 eth1  Out IP fw.localdomain > 192.168.1.183.57236: 46956 NXDomain 0/1/0 (108)
16:56:20.781363 eth1  Out IP fw.localdomain > 192.168.1.183.57236: 50016 NXDomain 0/1/0 (108)

The right behavior is in this examlple:

21:35:32.632867 eth1  In  IP 192.168.1.183.47981 > fw.localdomain: 6424+ A? forum.vyos.io. (31)
21:35:32.632867 eth1  In  IP 192.168.1.183.47981 > fw.localdomain: 11801+ AAAA? forum.vyos.io. (31)
21:35:32.633354 eth1  Out IP fw01.capra.65512 > pi.hole.domain: 40853+ [1au] A? forum.vyos.io. (42)
21:35:32.633550 eth1  Out IP fw01.capra.13504 > pi.hole.domain: 16171+ [1au] AAAA? forum.vyos.io. (42)

I can solve this issue by restarting the pdns-recursor service, but that’s only a temporary fix.
Any ideas on how to fix this permanently? I tried larger, smaller and no DNS-cache but that seems to have no influence. Any help and questions welcome.

Also:
I’ve read Debugging — VyOS 1.4.x (sagitta) documentation but still haven’t been able to enable any sort of debug-logging for the forwarder. I tried

touch /tmp/vyos.dns.forwarding.debug
touch /tmp/vyos.dns.debug

and a couple of other variants to no success

c-po · May 5, 2023, 7:58pm

Hi,

there is no debugging that can be enabled by such files, but good idea by simply trying around.

I assume fw.localdomain is your VRRP address. I have only heard from this behavior from a friend of mine which has the exact same setup (PiHole) and issue.

What I have come so far in thinking about the issue is:

PiHole once sent NXDOMAIN to VyOS
PDNS server caches the reply.

Why not simply send the PiHole DNS server directly to your clients and let them use PiHole for DNS resolution? Or can you maybe use tcpdump in ringbuffer mode to capture packets prior to the issue?

capra · May 5, 2023, 8:21pm

Hi,

thanks for your reply!

What I have come so far in thinking about the issue is:

PiHole once sent NXDOMAIN to VyOS

PDNS server caches the reply.

I have not observed that, but of course, that’s possible. I thought I’d get arround that by setting the DNS-cache on the pdns-recursor to 0, is that not the case?

Why not simply send the PiHole DNS server directly to your clients and let them use PiHole for DNS resolution?

I’d like to avoid that if possible. Just in terms of network segmentation it would suit my setup better to have VyOS listen on it’s interfaces in LAN, DMZ, Guest-Network, VPNs and so on, then allowing every device to access the piholes in my LAN. That said it’s what I’ll have to do if I’m unable to get the pdns-recursor to work reliably

Or can you maybe use tcpdump in ringbuffer mode to capture packets prior to the issue?

That’s a good hint, I’ do that an leave it running for a while, thank you!

16again · May 7, 2023, 3:14pm

VyOS doesn’t need to be DNS forwarder, you can also create dNAT rules towards pihole.

capra · May 7, 2023, 5:36pm

Yes, I thought about that. This will be my go to workaround if I can’t make the recursor work reliably.
Downside is, that I’ll not be able to resolve hostnames of DHCP-leases, which is not a huge problem for me.