06-17-2016 01:04 PM
We have an pair of infoblox apliances setup as a HA pair in our prod site and a virtual appliance in our DR site. The HA pain in our prod site is the grid master and the DR appliance is running as a grid master candidate. Here is the problem. If we specify the Prod infoblox as our DNS server on a workstation or server and do an nslookup everything works. If I enter the ip of the DR infoblox as the DNS server nslookup to anything fails. I got onto the DR infoblox via ssh and it can get to anythig. Nslookup works just fine on the DR infoblox, but just can't get it to work from a workstation using the DR infoblox as it's DNS server. Please help!
06-17-2016 03:13 PM
It could be a number of things:
1) Have you verified IP connectivity/routing with traceroute/ping?
2) Do you get any response at all with nslookup or does it just time out?
3) When you use nslookup, are you appending a "." at the end of your queries? Time and again I have seen people miss this, the server then tries to forward or recurse and times out, add a dot and it works.
4) Is the DNS service started?
5) Is the D/R server correctly configured as a slave server for the zones in question, or is it in the name server group for the zones in question?
6) Have you verified that allow-query, allow-recursion and/or view match lists are set correctly?
7) Have you done a restart services?
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
06-17-2016 04:57 PM
Thanks for getting back to me. Here are my results...
(1) Traceroute fails (gets to first hop, then the rest time out.)
(2) nslookup displays the name of the infoblox appliance and the ipaddress but the dns requests time out. (twice)
(3) adding a "." did work though. Not sure whats happening when you add a period, but that does make it work.
(4) The DNS service is running.
(5) I'm not sure where to check for this, but I do know that this machine is the grid master candidate.
(6) Allow queries from: is set to (set of ACEs), Allow recursion is checked and set to (set of ACEs), not sure where to check for "view for match"
(7) I did restart the dr appliance.
Hope this helps, Please let me know if you need any more info. Thanks for your help.
06-20-2016 09:49 AM
I would say that step (1) is your problem.
If you can't get packets to the box in the DR site, you can't make queries.
If the member has joined the grid, then it is probably a FW issue for clients->DR via port 53
Check with the FW or network team on how the packets are routed
also, if "nslookup worked on the DR box" where were you sourcing these lookups from ? and how is that location different from the client location ?
lastly - DON'T use nslookup, use 'dig'.