DNS Forwarding not working

[Lucas Rafagnin]

Hi team,

Looking for help regarding private DNS forwarding setup between GCP and an Windows2008 AD on-prem.

Network connection is up and GCP has line of sight to DNS servers, firewall is open, everything works fine, but when we request resolution of domain name, we get a SERVFAIL.

During debugging, we found out that "dig" only works if we add +nocookie or +noedns.

e.g. "dig example.int @dns-server-ip" doesn't work but "dig example.int @dns-server-ip +noedns" returns the correct IP address

My question is: what are the requirements for CloudDNS?

Do we have a workaround to get the forwarding to work?

Cheers / Bien Cordialement,

Lucas Rafagnin      Partner Engineer (France)      rafa...@google.com     +33 7 87 03 09 72

[sa...@google.com]

Hi Jesse,

When Cloud DNS receives an error from the target name server(which is Windows2008 AD in your case) or does not receive appropriate response from any of the target name servers, it will return a “SERVFAIL” error.

To troubleshoot this issue please make sure your on-premise name server is properly configured. The reason why I am saying this is because it returns proper IP addresses when you use +noedns or +nocookie with your dig query. “In practice, difficulties can arise when using EDNS traversing firewalls, since some firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets “ [1]. Make sure that DNS traffic is not filtered anywhere inside your VPC network or on-premises environment. Please follow “Open Google Cloud and on-premises firewalls to allow DNS traffic” [2] to ensure your on-premises firewall passes queries from Cloud DNS, mostly 35.199.192.0/19 ranges using UDP port 53 or TCP port 53. It is important to note here your on-premises name server should respond to queries from the Cloud DNS address ranges (35.199.192.0/19) within 4 seconds. You can find troubleshooting steps for scenarios like “Outbound forwarded queries receive SERVFAIL errors” in [3].

It is important to take note of “Verify return routes” [4] which emphasizes you also need to make sure your on-premises network routes the responses for 35.199.192.0/19 back to GCP using the VPN tunnel / Interconnect to the same VPC network where the DNS requests were originated. Please note that it is very important to understand that the range 35.199.192.0/19 is not publicly advertised and it’s not routable over the Internet.

I hope the above solution might be helpful for you. As this is a more technical question, and as this forum is meant for general questions about the platform, please post your question at serverfault.com where you have access to a large community of enthusiasts and experts to share ideas with and get support from.

Links:

[1] EDNS : 

https://en.wikipedia.org/wiki/Extension_Mechanisms_for_DNS#:~:text=Extension%20Mechanisms%20for%20DNS%20(EDNS,increasing%20functionality%20of%20the%20protocol.

[2] Open Google Cloud and on-premises firewalls to allow DNS traffic:

https://cloud.google.com/dns/docs/best-practices#open-google-cloud-and-on-premises-firewalls

[3] Outbound forwarded queries receive SERVFAIL errors:

https://cloud.google.com/dns/docs/troubleshooting#outbound-forwarded-queries-receive-servfail-errors

[4] Verify return routes: https://cloud.google.com/dns/docs/troubleshooting#verify-return-routes