I can telnet to the dns servers on port 53 from other hosts on the 131.243.78 subnet so I don’t think that’s the problem.

I will attempt to do a packet trace as per Justin’s suggestion and get back to the list.

Thanks,
Scott


On Apr 25, 2019, at 1:09 PM, tmac <tmacmd@gmail.com> wrote:

So, not going to explain how to here....
But if you know how, unlock the diag user and set a password.
Open a systemshell to a node
try: telnet 131.243.5.1 53

My example:
(fails)
home-01% telnet 192.168.1.208 53
Trying 192.168.1.208...
telnet: connect to address 192.168.1.208: Connection refused
telnet: Unable to connect to remote host
(works)
home-01% telnet 192.168.1.159 53
Trying 192.168.1.159...
Connected to homeauto.ddns.net.
^CConnection closed by foreign host.
(fails)
home-01% telnet 192.168.1.155 53
Trying 192.168.1.155...
telnet: connect to address 192.168.1.155: Connection refused
telnet: Unable to connect to remote host
home-01% exit

The failures are what happens when the port is either blocked or not communicating on port 53 (dns)

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeam

I Blog at TMACsRack




On Thu, Apr 25, 2019 at 3:53 PM Scott Classen <sclassen@lbl.gov> wrote:
sibyls2::*> dns modify -vserver als-enable-ds1 -domains als.lbl.gov,lbl.gov -name-servers 131.243.5.2 -timeout 10

Error: "10" is an invalid value for field "-timeout <1..5>"

sibyls2::*> dns modify -vserver als-enable-ds1 -domains bl1231.als.lbl.gov,als.lbl.gov,lbl.gov -name-servers 131.243.5.2 -timeout 5 

Error: Failed to verify the specified DNS configuration.
       131.243.5.2: Operation timed out.
       command failed: Verify that the network configuration is correct and that DNS servers are available. Specify "-skip-config-validation" to skip the configuration validation.


sibyls2::*> dns modify -vserver als-enable-ds1 -domains bl1231.als.lbl.gov,als.lbl.gov,lbl.gov -name-servers 131.243.5.2 -timeout 5 -skip-config-validation

sibyls2::*> dns check -vserver als-enable-ds1                                                                                                               
                              Name Server
Vserver       Name Server     Status       Status Details
------------- --------------- ------------ --------------------------
als-enable-ds1                down         Operation timed out.
              131.243.5.2

sibyls2::*> vserver services name-service getxxbyyy gethostbyname -node sibyls2-03 -vserver als-enable-ds1 -hostname nsals.lbl.gov                         
Host name: nsals.lbl.gov
Canonical name: nsals.lbl.gov
IPv4: 131.243.5.2


Seems odd that a gethostbyname of the name server (nsals.lbl.gov) works but dns check doesn’t

S



> On Apr 25, 2019, at 12:39 PM, Parisi, Justin <Justin.Parisi@netapp.com> wrote:
>
> So, ping and traceroute won't really check what you need to check for DNS connectivity; that's access to the IP over port 53.
>
> DNS check will test round trip time to the DNS server by doing a simple DNS lookup of example.domain.com and reports the time it took for that request.
>
> "Operation timed out" means either that the DNS query couldn't be made or it took longer than the DNS timeout you have set. Try increasing the timeout from 2 seconds to 10 seconds and retry the check. A packet trace will also be useful to see why/how the requests are failing.
>
> -----Original Message-----
> From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On Behalf Of Scott Classen
> Sent: Thursday, April 25, 2019 2:48 PM
> To: toasters@teaparty.net
> Subject: DNS woes
>
> NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
>
>
> Hello,
>
> Can anyone help me with this before I open a case with NetApp?
>
> dns check on one of my sververs fails (see below where I get an “Operation timed out” error), but I can ping and traceroute from the vserver to the gateway and the DNS servers.
>
>
>
> sibyls2::*> dns show -vserver als-enable-ds1
>
>                              Vserver: als-enable-ds1
>                              Domains: als.lbl.gov, lbl.gov
>                         Name Servers: 131.243.5.1, 131.243.5.2
>                       Timeout (secs): 2
>                     Maximum Attempts: 1
>                Is TLD Query Enabled?: true Require Source and Reply IPs to Match: true
>      Require Packet Queries to Match: true
>
>
> sibyls2::*> dns check -vserver als-enable-ds1
>                              Name Server
> Vserver       Name Server     Status       Status Details
> ------------- --------------- ------------ --------------------------
> als-enable-ds1                down         Operation timed out.
>              131.243.5.1
> als-enable-ds1                down         Operation timed out.
>              131.243.5.2
> 2 entries were displayed.
>
>
> sibyls2::*> ping -node sibyls2-03 -destination 131.243.78.1 -vserver als-enable-ds1 -wait-response 2000 -count 3
> 131.243.78.1 is alive
>
> sibyls2::*> ping -node sibyls2-03 -destination 131.243.5.1 -vserver als-enable-ds1 -wait-response 2000 -count 3
> 131.243.5.1 is alive
>
> sibyls2::*> ping -node sibyls2-03 -destination 131.243.5.2 -vserver als-enable-ds1 -wait-response 2000 -count 3
> 131.243.5.2 is alive
>
> sibyls2::*> ping -node sibyls2-04 -destination 131.243.78.1 -vserver als-enable-ds1 -wait-response 2000 -count 3
> 131.243.78.1 is alive
>
> sibyls2::*> ping -node sibyls2-04 -destination 131.243.5.1 -vserver als-enable-ds1 -wait-response 2000 -count 3
> 131.243.5.1 is alive
>
> sibyls2::*> ping -node sibyls2-04 -destination 131.243.5.2 -vserver als-enable-ds1 -wait-response 2000 -count 3
> 131.243.5.2 is alive
>
> sibyls2::*> traceroute -node sibyls2-03 -vserver als-enable-ds1 -destination 131.243.78.1 traceroute to 131.243.78.1 (131.243.78.1), 64 hops max, 40 byte packets
> 1  vlan3078.irals.lbl.gov (131.243.78.1)  0.521 ms *  0.484 ms
>
>
> sibyls2::*> traceroute -node sibyls2-03 -vserver als-enable-ds1 -destination 131.243.5.1 traceroute to 131.243.5.1 (131.243.5.1), 64 hops max, 40 byte packets
> 1  vlan3078.irals.lbl.gov (131.243.78.1)  0.478 ms  0.369 ms  0.376 ms
> 2  xe-2-2-1.er1-n1.lbl.gov (131.243.244.140)  0.411 ms  0.391 ms  0.330 ms
> 3  t5-4.ir1-n1.lbl.gov (131.243.244.131)  0.796 ms  1.365 ms  0.524 ms
> 4  ns.lbl.gov (131.243.5.1)  0.402 ms  0.765 ms  0.936 ms
>
>
> sibyls2::*> traceroute -node sibyls2-03 -vserver als-enable-ds1 -destination 131.243.5.2 traceroute to 131.243.5.2 (131.243.5.2), 64 hops max, 40 byte packets
> 1  vlan3078.irals.lbl.gov (131.243.78.1)  0.446 ms  0.409 ms  0.375 ms
> 2  nsals.lbl.gov (131.243.5.2)  0.649 ms  1.047 ms  1.080 ms
>
> sibyls2::*> traceroute -node sibyls2-04 -vserver als-enable-ds1 -destination 131.243.78.1 traceroute to 131.243.78.1 (131.243.78.1), 64 hops max, 40 byte packets
> 1  vlan3078.irals.lbl.gov (131.243.78.1)  0.443 ms *  0.502 ms
>
> sibyls2::*> traceroute -node sibyls2-04 -vserver als-enable-ds1 -destination 131.243.5.1 traceroute to 131.243.5.1 (131.243.5.1), 64 hops max, 40 byte packets
> 1  vlan3078.irals.lbl.gov (131.243.78.1)  0.515 ms  0.402 ms  0.388 ms
> 2  xe-2-2-1.er1-n1.lbl.gov (131.243.244.140)  0.513 ms  0.344 ms  0.326 ms
> 3  t5-4.ir3-n2.lbl.gov (131.243.244.129)  1.737 ms  1.618 ms
>    t5-4.ir4-n3.lbl.gov (131.243.244.133)  0.582 ms
> 4  ns.lbl.gov (131.243.5.1)  0.898 ms  1.213 ms  0.517 ms
>
> sibyls2::*> traceroute -node sibyls2-04 -vserver als-enable-ds1 -destination 131.243.5.2 traceroute to 131.243.5.2 (131.243.5.2), 64 hops max, 40 byte packets
> 1  vlan3078.irals.lbl.gov (131.243.78.1)  2.075 ms  1.451 ms  0.403 ms
> 2  nsals.lbl.gov (131.243.5.2)  1.198 ms  0.410 ms  0.911 ms _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters