NSX-V 6.4.8 and 6.4.9 Edge gateways configured for DNS forwarding may return SERVER FAILURE (SERVFAIL) status to clients despite a successful DNS response from the DNS server
book
Article ID: 345887
calendar_today
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
VMs using an NSX Edge for DNS does not work after a new deployment of NSX-V 6.4.8
VMs using an NSX Edge for DNS does not work after upgrading the Edge to NSX-V 6.4.8
A packet capture taken on the NSX Edge will show the Edge reports SERVER FAILURE status to DNS clients despite the Edge receiving a successful DNS response from the DNS server
The logs on the Edge gateway will show messages similar to the following:
The BIND package used for DNS forwarding functionality in NSX-V 6.4.8 and 6.4.9 has DNSSEC validation enabled by default. The SERVFAIL status may be returned by the Edge if the DNS server does not support DNSSEC leading to DNS resolution failures for clients.
Resolution
This issue has been resolved in 6.4.11
Workaround: To workaround the issue, disable DNSSEC validation on the NSX Edge:
Connect to the NSX Manager as admin and enter enable mode by typing: en
Enter engineering mode by typing: st en
Enter the NSX Manager root password: IAmOnThePhoneWithTechSupport
Get the password for the Edge by typing: /home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh
Access the Edge VM console, log in as the admin user and enter enable mode by typing: en
Enable engineering mode by typing: debug engineeringmode enable
Enter the root shell on the Edge by typing and using the password from step #4: st en
Modify the file /var/db/vmware/vshield/dns.conf and add the following lines under the options section: