Page MenuHomeVyOS Platform

DNS forwarding on VRRP addresses not propery working
Closed, ResolvedPublicBUG

Description

Using two VyOS instances (Lab Router 1) LR1 and (Lab Router 2) LR2 with the following config

LR1

 interfaces {
     ethernet eth0 {
         address 172.16.37.240/24
         vrrp {
             vrrp-group 200 {
                 authentication {
                     password foooo
                     type plaintext-password
                 }
                 priority 10
                 virtual-address 172.16.37.222
             }
         }
     }
 }
 ...
 service {
     dns {
         forwarding {
             cache-size 0
             ignore-hosts-file
             listen-on eth0
             name-server 1.1.1.1
         }
     }
 }

# netstat -npl | grep ":53"
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 172.16.37.222:53        0.0.0.0:*               LISTEN      -
tcp        0      0 172.16.37.240:53        0.0.0.0:*               LISTEN      -
tcp6       0      0 fe80::250:56ff:feaa::53 :::*                    LISTEN      -
udp        0      0 172.16.37.222:53        0.0.0.0:*                           -
udp        0      0 172.16.37.240:53        0.0.0.0:*                           -
udp6       0      0 fe80::250:56ff:feaa::53 :::*                                -

LR2

 interfaces {
     ethernet eth0 {
         address 172.16.37.241/24
         smp-affinity auto
         speed auto
         vrrp {
             vrrp-group 200 {
                 authentication {
                     password foooo
                     type plaintext-password
                 }
                 priority 10
                 virtual-address 172.16.37.222
             }
         }
     }
 }
 ...
 service {
     dns {
         forwarding {
             cache-size 4
             ignore-hosts-file
             listen-on eth0
             name-server 1.1.1.1
         }
     }
 }

# netstat -npl | grep ":53"
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 172.16.37.241:53        0.0.0.0:*               LISTEN      -
tcp6       0      0 fe80::250:56ff:feaa::53 :::*                    LISTEN      -
udp        0      0 172.16.37.241:53        0.0.0.0:*                           -
udp6       0      0 fe80::250:56ff:feaa::53 :::*                                -

... had the effect that when LR1 died and LR2 took over the DNS forwarder (PowerDNS recursor) was not listening on the VRRP IP address of LR2.

The reason why LR1 is listening on the VRRP address and LR2 is not, is the generation of the PDNS recursor configuration file /etc/powerdns/recursor.conf.

LR1

$ cat /etc/powerdns/recursor.conf | grep local-addr
local-address=172.16.37.240,172.16.37.222,fe80::250:56ff:feaa:8b61%eth0

LR2

$ cat /etc/powerdns/recursor.conf | grep local-addr
local-address=172.16.37.241,fe80::250:56ff:feaa:e4e5%eth0

It's simple, when running in VRRP BACKUP state we don't have this IP address assigned.

LR2

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:aa:e4:e5 brd ff:ff:ff:ff:ff:ff
    inet 172.16.37.241/24 brd 172.16.37.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feaa:e4e5/64 scope link
       valid_lft forever preferred_lft forever

comapred to LR1

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:aa:8b:61 brd ff:ff:ff:ff:ff:ff
    inet 172.16.37.240/24 brd 172.16.37.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.16.37.222/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feaa:8b61/64 scope link
       valid_lft forever preferred_lft forever

Simple problem but I yet don't know how to solve it.

Possible solutions:

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.2.0-rolling+201805150841
Why the issue appeared?
Will be filled on close

Event Timeline

dmbaturin claimed this task.
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
dmbaturin added a subscriber: dmbaturin.

I've updated pdns to 4.0, enabled non-local bind, and added a "listen-address" option that takes address rather than interface. I've also added a huge warning about listen-on to encourage people to migrate to the new listen-address option.

Since pdns does not have an option to listen on an interface, I think this is the best we can do (and explicit is probably better than explicit anyway).