DNS forwarding doesn't resolve CNAMEs?

Bugs
, ,
1

I have configured a name server and have enabled DNS forwarding for the clients on the LAN.

I can ping and resolve using nslookup from the router itself:

> openpli.org
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	openpli.org
Address: 95.154.239.72
Name:	openpli.org
Address: 2001:1b40:4000:5::239:72
> forums.openpli.org
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
forums.openpli.org	canonical name = openpli.hosting.flexcoders.eu.
Name:	openpli.hosting.flexcoders.eu
Address: 95.154.239.72
Name:	openpli.hosting.flexcoders.eu
Address: 2001:1b40:4000:5::239:72

But when I try the same using DNS forwarding:

> server 172.19.9.1
Default server: 172.19.9.1
Address: 172.19.9.1#53
> openpli.org
Server:		172.19.9.1
Address:	172.19.9.1#53

Non-authoritative answer:
Name:	openpli.org
Address: 95.154.239.72
Name:	openpli.org
Address: 2001:1b40:4000:5::239:72
> forums.openpli.org
Server:		172.19.9.1
Address:	172.19.9.1#53

** server can't find forums.openpli.org: NXDOMAIN

I found several posts regarding this issue, but none gave a solution. One mentioned an MTU issue, but I’ve double checked, and I don’t think that is the issue here:

set interfaces ethernet eth0 mtu 1500

set interfaces pppoe pppoe0 source-interface 'eth0'
set interfaces pppoe pppoe0 mtu 1492
set interfaces pppoe pppoe0 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 ipv6 adjust-mss 'clamp-mss-to-pmtu'
2

What if you compare:

dig @1.1.1.1 forums.openpli.org a

dig @1.1.1.1 forums.openpli.org cname

dig @172.19.9.1 forums.openpli.org a

dig @172.19.9.1 forums.openpli.org cname

Whats the output in your case for above?

In case the resolver is set to minimal response and the client asks about A-record then you wont get any reply in return. Or just gets the CNAME in return meaning that the DNS-client must ask a second query asking for A-record of that CNAME-record. In short the application will never get an IP to connect to unless the DNS-client asks twice.

When I tested 1.1.1.1 obviously doesnt reply with minimal-response set since you see you get both a CNAME and A-record in the same reply.

I think you can also use tcpdump to verify this behaviour regarding what the server (resolver) returns if both entries are part of the same reply or if the 172.19.9.1 resolver just replies with the CNAME-record and then its up for your DNS-client to ask a 2nd time and this time ask for A-record of that CNAME-record.

3

Thanks, I’ll try tomorrow, I had to stop testing and start the old firewall again so nightly processes won’t be interrupted (because I can’t get the IPsec tunnel working).

4

Here you go:

vyos@srvr2-fw:~$ dig @1.1.1.1 forums.openpli.org a

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @1.1.1.1 forums.openpli.org a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60340
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;forums.openpli.org.		IN	A

;; ANSWER SECTION:
forums.openpli.org.	609	IN	CNAME	openpli.hosting.flexcoders.eu.
openpli.hosting.flexcoders.eu. 3452 IN	A	95.154.239.72

;; Query time: 37 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon May 25 10:32:27 UTC 2026
;; MSG SIZE  rcvd: 106

vyos@srvr2-fw:~$ dig @1.1.1.1 forums.openpli.org cname

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @1.1.1.1 forums.openpli.org cname
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;forums.openpli.org.		IN	CNAME

;; ANSWER SECTION:
forums.openpli.org.	3600	IN	CNAME	openpli.hosting.flexcoders.eu.

;; Query time: 25 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon May 25 10:32:34 UTC 2026
;; MSG SIZE  rcvd: 90

vyos@srvr2-fw:~$ dig @172.19.9.1 forums.openpli.org a

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @172.19.9.1 forums.openpli.org a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31906
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;forums.openpli.org.		IN	A

;; ANSWER SECTION:
forums.openpli.org.	607	IN	CNAME	openpli.hosting.flexcoders.eu.

;; Query time: 51 msec
;; SERVER: 172.19.9.1#53(172.19.9.1) (UDP)
;; WHEN: Mon May 25 10:32:41 UTC 2026
;; MSG SIZE  rcvd: 90

vyos@srvr2-fw:~$ dig @172.19.9.1 forums.openpli.org cname

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @172.19.9.1 forums.openpli.org cname
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20617
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;forums.openpli.org.		IN	CNAME

;; ANSWER SECTION:
forums.openpli.org.	1309	IN	CNAME	openpli.hosting.flexcoders.eu.

;; Query time: 24 msec
;; SERVER: 172.19.9.1#53(172.19.9.1) (UDP)
;; WHEN: Mon May 25 10:32:49 UTC 2026
;; MSG SIZE  rcvd: 90
5

And if you do something like this it will give you the A-record?

dig @172.19.9.1 openpli.hosting.flexcoders.eu a

Also if possible adjust EDNS to 1280 which is the minimum MTU for IPv6.

It looks like the forwarder uses 512 bytes for EDNS meaning any reply larger than 512 bytes UDP will switch to TCP so also verify that you allow for both UDP and TCP 53 both towards the forwarder but also from the forwarder towards the internet.

Otherwise I would suspect some kind of “minimal-response” is at play here like the forwarder will only do 1:1 queries and not dig further (recursive) like a resolver would do.

6 
vyos@srvr2-fw# dig @172.19.9.1 openpli.hosting.flexcoders.eu a

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @172.19.9.1 openpli.hosting.flexcoders.eu a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28173
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;openpli.hosting.flexcoders.eu.	IN	A

;; Query time: 0 msec
;; SERVER: 172.19.9.1#53(172.19.9.1) (UDP)
;; WHEN: Mon May 25 14:52:28 UTC 2026
;; MSG SIZE  rcvd: 58

As to firewall rules, I currently allow all on output, and have

set firewall ipv4 input filter rule 4 description 'DNS request access'
set firewall ipv4 input filter rule 4 action jump
set firewall ipv4 input filter rule 4 jump-target INPUT-4-RULE000004
set firewall ipv4 name INPUT-4-RULE000004 default-action return
set firewall ipv4 name INPUT-4-RULE000004 rule 1 source group network-group INPUT-4-RULE000004-IPV4-SN
set firewall ipv4 name INPUT-4-RULE000004 rule 1 protocol tcp_udp
set firewall ipv4 name INPUT-4-RULE000004 rule 1 destination port 53
set firewall ipv4 name INPUT-4-RULE000004 rule 1 action accept

on input (and the same for IPv6).

172.19.9.1 is a VyOS ethernet local address (LAN inside interface), and I run dig from the router, as long as that doesn’t work, it is pointless trying something from a client.

It gets weirder, when I query @1.1.1.11.1.1.1, tcpdump shows:

15:04:41.701802 IP <pppoe public ipv4>.45379 > 1.1.1.1.53: 49794+ [1au] A? openpli.hosting.flexcoders.eu. (70)
15:04:41.727216 IP 1.1.1.1.53 > 194.164.227.192.45379: 49794 1/0/1 A 95.154.239.72 (74)

but when I do

vyos@srvr2-fw:~$ dig @172.19.9.1 openpli.hosting.flexcoders.eu a

I don’t see any traffic in tcpdump on port 53, but do get a response. Even after I’ve done

reset dns forwarding all

It looks as if it doesn’t even try to call the upstream DNS server to resolve it?

Even if I configure it to resolve directly:

delete service dns forwarding system

and I reset the cache and restart dns forwarding, there is no traffic according to tcpdump.

7

This seems to have been reported here to: PowerDNS Recursor feels very slow - #22 by SaulGoodman but was not picked up?

8

Besides how is your configuration for this in VyOS?

You mentioned forwarder but normally you want to use it as a resolver so it can also cache already answered queries (incl negative caching as in where the answer is that there is no entry).

Also if possible, if you remove all IPv6 config - are there any change then?

9

Nothing special:

set system name-server 1.1.1.1
set system name-server 2606:4700:4700::1111
set system name-server 1.0.0.1
set system name-server 2606:4700:4700::1001

set service dns forwarding listen-address '0.0.0.0'
set service dns forwarding listen-address '::'
set service dns forwarding allow-from 172.18.0.0/16
set service dns forwarding allow-from fdfd:dead:beef:cafe::/96
set service dns forwarding allow-from 172.19.8.128/25
set service dns forwarding allow-from 172.19.0.0/24
set service dns forwarding allow-from 172.19.10.0/24
set service dns forwarding allow-from 172.19.14.0/24
set service dns forwarding allow-from 172.19.15.0/24
set service dns forwarding allow-from 172.19.9.0/24
set service dns forwarding allow-from 172.19.12.0/24
set service dns forwarding allow-from 172.19.11.0/24
set service dns forwarding allow-from fdfd:dead:beef:cafe:0:1:a:0/112
set service dns forwarding allow-from fdfd:dead:beef:cafe:0:1:e:0/112
set service dns forwarding allow-from fdfd:dead:beef:cafe:0:1:f:0/112
set service dns forwarding allow-from fdfd:dead:beef:cafe:0:1:9:0/112
set service dns forwarding allow-from fdfd:dead:beef:cafe:0:1:c:0/112
set service dns forwarding allow-from fdfd:dead:beef:cafe:0:1:b:0/112
set service dns forwarding dnssec off
set service dns forwarding system

then DNS is assigned to clients via DHCP:

set service dhcp-server listen-interface eth2.1
set service dhcp-server shared-network-name 'MANAGEMENT-4' authoritative
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 subnet-id 5
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 option default-router 172.19.9.1
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 option name-server 172.19.9.1
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 lease 86400
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 option domain-name 'local'
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 range 0 start 172.19.9.240
set service dhcp-server shared-network-name 'MANAGEMENT-4' subnet 172.19.9.0/24 range 0 stop 172.19.9.249
10

I wonder if the old method of setting the recurse bit in powerdns (using the + in forward-zones) still works, as the current docs mention you need to use forward-zones-recurse now.

11

Oh… F.U.C.K. Sorry for wasting your time.

Sophos uses dnsmasq, and that forwards any query that doesn’t resolve locally. powerdns doesn’t do that for domains it is authoritive on.

Split-DNS is used in this setup, so the local box has an authoritive zone for “hosting.flexcoders.eu” with internal IP’s.

So there was no A record response for the forums.openpli.org CNAME, because openpli.hosting.flexcoders.eu is not known in the local zone. :roll_eyes:

12

Nice catch - will hopefully help next one being in similar situation where you mix resolving and being authoritive in the same box :slight_smile:

What was the fix in VyOS config in your case?

Like if you can post before (not working) vs after (working)?

13

I don’t have a fix for it yet.

Our company is a “100% virtual” company. We have a datacentre for both client hosting and our central stuff. Everyone works remote permanently.

For remote locations (mainly developers) the company provides a standardized “DC in a box”, a virtualized and standardized server that contains local git repositories, file server, mail server, build servers (for building openembedded) and mail web client, development webservers, etc. These boxes have an IPsec VPN to the datacentre for remote backups, data replication, etc,.

The Split-horizon DNS is used because some services need to be accessed via the VPN link, on the internal IP address, while others (like the CNAME example) are public services and need to be accessed via the internet.

14

It looks like I can work around it by adding the entries for “hosting.flexcoders.eu” to /etc/hosts:

vyos@srvr2-fw:~$ cat /etc/hosts
### Autogenerated by VyOS ###
### Do not edit, your changes will get overwritten ###

# From 'system static-host-mapping' and DHCP server
1.2.3.4		openpli.hosting.flexcoders.eu

In now resolves the CNAME to the IP defined locally:

vyos@srvr2-fw:~$ dig @172.19.9.1 forums.openpli.org

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @172.19.9.1 forums.openpli.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;forums.openpli.org.		IN	A

;; ANSWER SECTION:
forums.openpli.org.	3434	IN	CNAME	openpli.hosting.flexcoders.eu.
openpli.hosting.flexcoders.eu. 86400 IN	A	1.2.3.4

;; Query time: 86 msec
;; SERVER: 172.19.9.1#53(172.19.9.1) (UDP)
;; WHEN: Tue May 26 12:16:56 UTC 2026
;; MSG SIZE  rcvd: 106
15

Yup, this fixes it.

vyos@srvr2-fw:/$ dig @172.19.9.1 forums.openpli.org

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @172.19.9.1 forums.openpli.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24358
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;forums.openpli.org.		IN	A

;; ANSWER SECTION:
forums.openpli.org.	2594	IN	CNAME	openpli.hosting.flexcoders.eu.
openpli.hosting.flexcoders.eu. 215 IN	A	95.154.239.72

;; Query time: 95 msec
;; SERVER: 172.19.9.1#53(172.19.9.1) (UDP)
;; WHEN: Tue May 26 12:26:25 UTC 2026
;; MSG SIZE  rcvd: 106

vyos@srvr2-fw:/$ dig @172.19.9.1 mirrors.hosting.flexcoders.eu

; <<>> DiG 9.18.47-1~deb12u1-Debian <<>> @172.19.9.1 mirrors.hosting.flexcoders.eu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15577
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mirrors.hosting.flexcoders.eu.	IN	A

;; ANSWER SECTION:
mirrors.hosting.flexcoders.eu. 86400 IN	A	172.18.8.6

;; Query time: 2 msec
;; SERVER: 172.19.9.1#53(172.19.9.1) (UDP)
;; WHEN: Tue May 26 12:26:57 UTC 2026
;; MSG SIZE  rcvd: 74

One down, two to go… :wink: