“ANY” (*) DNS Query is used by VMware Data Protection (VDP)
After a VMware migration from version 4.5 to 5.5, I struck-up in the installation of VMware Data Protection (VDP) 6.1.1. The deployment of VDP appliance got succeeded. But while configuring the appliance through the web browser (link : https://vdp.example.com:8543/vdp-configure/), it return an error.
“IP/DNS could not be resolved. Please check the hostname, domain, and DNS values for forward and reverse lookup validation”
Here are some testing results and diagnosing methods which I used to find the root cause of the error. This may help someone to troubleshoot the the same error.
As it is a DNS error, the initial diagnosing is done with the Nslookup command. Verify both forward and reverse lookups are correct for both VCenter and VDP. At this stage (Network Settings) It checks only the DNS of VDP appliance.
Using following names and IPs to explain instead of the actual IP and Hostnames
Vcenter IP : 192.168.0.1 VDP IP : 192.168.0.2 DNS IP : 192.168.0.3
Vcenter FQDN : vcenter.example.com VDP FQDN : vdp.example.com DNS FQDN : dns.example.com
As per the vmware-KB-2036396 it should ping and respond to the nslookup (default A record) from both Vcenter and VDP.
nslookup vdp.example.com 192.168.0.3 nslookup 192.168.0.2 192.168.0.3 nslookup vcenter.example.com 192.168.0.3 nslookup 192.168.0.1 192.168.0.3
If it is not giving the output you may also check the following
Telnet to the DNS server and make sure that the service is accessible in the port 53 (“telnet 192.168.0.3 53” ). This will fail if both DNS server and VDP are in different network zones and not properly configured firewall rules.
In my case all the forward and reverse lookups were working fine and still getting the same error.
At this stage , I Just confirmed the names in “/etc/hosts”
192.168.0.2 vdp.example.com vdp 127.0.0.1 localhost.localdomain localhost
Make sure that your DNS server is listed in /etc/resolv.conf
Still getting the same DNS error. Now talked to vmware support and they instructed to check the above settings same as listed in the vmware-KB.And their second try was to re implement the older appliances. and we tested with VDP 6.1.1, 6.1, 5.8.1, and 5.8.
Appliance 5.8.X will show some SSL error, and will not open in most browsers without a patch as per Vmware ( known issue )
Error code: ERR_CONNECTION_CLOSED
Fix script is in this Vmware-KB-2111900
VMware Data Protection web configure still showing the “IP/DNS could not be resolved” message when configuring the Network settings.
Now I run a network packet sniffer ( tcpdump ) in the VDP server. Tcpdump is inbuilt in almost all the linux distributions. VDP is build with SUSE Linux. It is better to work with a SSH client like putty instead of working from a vmware console.
The default root password of VPD appliance is “changeme”. However it will show an authentication error if we try ssh to the vdp.This is because SSH is disabled for root login by default .
How to enable ssh In VDP server
Open file “/etc/ssh/sshd_config” and find the line “PermitRootLogin yes” and uncomment it. now restart the ssh server with
Again BACK to the packet sniffer TCPdump to debug
Connect SSH to the VDP server and run following command to monitor only the DNS queries.
tcpdump -vvv -s 0 -l -n port 53
Now from another SSH session test a DNS request using Nslookup
Important portion of the response output
q: A? vdp.example.com. 1/0/0 vdp.example.com. A 192.168.0.2
Now run the VDP web configuration and apply Network settings to simulate the DNS error and check the request response in tcpdump
Request is initiated by vdp-configure/services/dns/dolookup web call
Important portion of the response output
q: ANY? vdp.example.com. 0/1/0 ns: example.com. SOA dns.example.com.
Here there is no information about the IP address. Noticed that VDP appliance webconfig is using a “ANY” meta query instead of normal A record check. In my case this is the reason for the DNS error.
Here my DNS server is running on a linux box with “unbound”. We have been using this for long time in my organization for the Internet and Intranet DNS needs. As per my understanding UNBOUND server is a single purpose DNS server. There is no code to support Dynamic DNS updates, or zone transfers, etc. As it is not able to respond to “ANY” query, I have to find a workaround. So I configured a different Linux server with BIND for Just to Answer the DNS requests from VDP Server.
Now the questions come up like, what is “ANY” record in DNS ? why it is used in this appliance ? why my DNS server is not responding for the “ANY” query. ?
“ANY” is a special DNS meta query. Instead of doing a single query like A / NS, “ANY” retrieves all the available records of a domain name.
This is one of the request which can get a biggest DNS reply from a DNS server. Even if it is named ANY It really look like ALL records. It is also known as ‘*’. This can also be used for Zone transfer between DNS servers. Users can easily get the entire DNS zone with one command.
It can also be used for a DNS Amplification DDoS Attack. That is why some of the DNS servers are not responding to “ANY” query.
Basic reason for adding the ANY to DNS had been to assist in debugging and testing, there is no real reason to check the DNS ANY query from an application.
How to query “ANY” or “*” using Nslookup / dig ?
dig ANY google.com @22.214.171.124 nslookup -q=ANY google.com @126.96.36.199
Also bear in mind that, As there is a limit in the UDP packet size, the largest DNS responses need a TCP connection instead of UDP connection to port 53. Make sure that the TCP and UDP for port 53 is opened in the firewalls.