08-23-2017 10:29 PM - edited 08-23-2017 10:30 PM
I am trying to fix a strange issue with Infoblox that affects a new zone created recently.
The problem is that Infoblox does NOT provide any response (no packets returned) for queries to the new zone if the client belongs to a specific IP subnet. At the same time, the same client can successfully query other existing zones hosted on the same server.
The old and new zone settings are completely identical.
The old and new zones allow queries for Any client.
No DNS views used, except for the default one.
No Advanced Protection enabled .
In the DNS query log, the failed queries are not shown at all.
Other queries and responses are correctly logged.
What can be the cause of this behaviour?
08-29-2017 10:27 AM
That is a strange one.
So you have covered all the normal stuff that would usually cause the issue below. View, ACLs etc.
Have you verified that the queries actually get to infoblox by running a packet capture?
Do you have multiple interfaces and/or anything like a firewall that might be doing DNS inspection that might be breaking the connection? I've seen Juniper and Cisco firewall configs that do DNS inspection and breaks DNS.
08-29-2017 10:36 AM
Here are a few other troubleshooting steps:
Did you restart services after creating the zone?
If not, the zone may not be loaded on any members.
Is the zone configured to be authoritative on the members that you are trying to query?
If you did the step above and the queries aren't working, you should confirm that the members the zone is assigned to are listed in the name servers box. If you are using the same name server group, then you should be covered.
Do you see a statement in syslog saying that the zone is loaded?
If not, chances are something above did not check out. If you see that the zone has successfully loaded, you should be good to proceed.
Is the client contacting the authoritative member directly or via some intervening DNS server?
This is where things start getting more complicated. Are you querying the authoritative member DIRECTLY or does the client go to a different DNS server that queries for the results on the client's behalf? If you haven't not tested this DIRECTLY, do so and confirm that everything is working. If it works that way and NOT when you have another DNS server in the middle, then you have either a DNS server configuration issue or a delegation issue.
Possible DNS Server configuration issues: Forwarding (Zone or Server level)
Update this setting as appropriate.
Look to the parent zone (of your new zone) to clean this up. If everything is "in Grid", this should have been handled for you automatically. If not, you'll need to go to the appropriate parent master name server to resolve this issue.