[Freeipa-users] DNS operation timed out when installing IPA with forwarders

Petr Spacek pspacek at redhat.com
Tue Apr 5 08:43:14 UTC 2016 

On 24.2.2016 13:19, Geselle Stijn wrote:
> Adding a forward zone like Martin suggested works.
> I will definitely read the section you linked to get a better understanding of the differences between both.
> 
> Doing a dig for google.com won't work in our case, because the servers are not internet-facing.

Hi,

this effectively means that servers you specified are not usable as global
forwarders, so the check serves its purpose.

The problem is that the DNS server in general is not supposed to drop queries.
At very least it should answer with REFUSED message so the client can see that
the query was administratively prohibited.

I hope this explains nature of the check.

Petr^2 Spacek

> 
> Stijn
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: Monday 22 February 2016 11:05
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders
> 
> On 19.2.2016 15:09, Martin Basti wrote:
>> On 19.02.2016 14:57, Geselle Stijn wrote:
>>> That seems to fail:
>>>
>>> [root at ipa ~]# dig @192.168.1.1 . SOA
>>>
>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 
>>> server
>>> found) ;; global options: +cmd ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: 
>>> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION:
>>> ;.                              IN      SOA
>>>
>>> ;; Query time: 11153 msec
>>> ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Feb 19 14:42:51 
>>> CET 2016 ;; MSG SIZE  rcvd: 28
>>>
>>>
>>> But if I add a new record (e.g. CNAME) to DNS in Windows Server and 
>>> try to ping to that CNAME, I get resolved correctly.
>>>
>>> -Stijn
>> Hello,
>>
>> global forwarders, specified by --forwarder option during installation 
>> or added via ipa dnsconfig-mod, must be able to resolve root zone 
>> (your forwarder/server 192.168.1.1 is not able to return result for root zone).
>>
>> You probably need to specify forwardzone, for the particular windows 
>> domain you use, instead of specify it as global forwarder.
>>
>> ipa dnsforwardzone-add <your.windows.zone.> --forwarder 192.168.1.1
> 
> Martin could be right, but this depends on your setup.
> 
> Please read chapter "Managing DNS Forwarding" in our docs:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html
> 
> It explains the difference between global and per-zone forwarding (I hope :-) so it will be easier to decide what should be used.
> 
> BTW does the command
> $ dig @192.168.1.1 www.google.com. SOA
> work?
> (Assuming that neither google.com. nor com. are your AD domains :-))
> 
> Petr^2 Spacek
> 
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com 
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>> Sent: Friday 19 February 2016 13:59
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] DNS operation timed out when installing 
>>> IPA with forwarders
>>>
>>> On 19.2.2016 13:50, Geselle Stijn wrote:
>>>> Hello fellow FreeIPA users,
>>>>
>>>> I'm trying to setup FreeIPA in a lab environment (VirtualBox):
>>>>
>>>>
>>>> -          ad.example.com (Windows Server 2008 R2) - 192.168.1.1
>>>>
>>>> -          ipa.example.com (CentOS 7.2) - 192.168.1.2
>>>> Both machines can ping each other, DNS resolving works:
>>>>
>>>> [root at ipa ~] nslookup ad
>>>> Server:         192.168.1.1
>>>> Address:     192.168.1.1#53
>>>>
>>>> Name:     ad.example.com
>>>> Address: 192.168.1.1
>>>>
>>>>
>>>> I executed:
>>>>
>>>> yum install -y "*ipa-server*" bind bind-dyndb-ldap 
>>>> ipa-server-install --domain=example.com --realm=EXAMPLE.COM 
>>>> --setup-dns
>>>> --forwarder=192.168.1.1
>>>>
>>>> But the installation wizard fails at:
>>>>
>>>> Checking DNS forwarders, please wait ...
>>>> ipa            : ERROR   DNS server 192.168.1.1: query '. SOA': The DNS
>>>> operation timed out after 10.00124242 seconds
>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR     DNS server
>>>> 192.168.1.1: query '. SOA': The DNS operation timed out after 
>>>> 10.00124242 seconds
>>>>
>>>>
>>>> Is there some way I can better troubleshoot this? Can I increase the 
>>>> DNS timeout (maybe it's simply slow via VirtualBox).
>>> Please try command
>>> $ dig @192.168.1.1 . SOA
>>> and paste the output here.
>>>
>>> Also, please run the installer again with option --debug.
>>>
>>> I will have a look.
>>>
>>> Thank you.
>>>
>>> --
>>> Petr^2 Spacek
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 


-- 
Petr Spacek  @  Red Hat

More information about the Freeipa-users mailing list