DNS Issues from DC LAN PC

1. Check if the DNS Unbound service is running:

systemctl status unbound

Expected Scenario: The service should run without any failures.

2. Ensure the LAN interface IP is correctly listed in the configuration file:

/etc/unbound/zwan/server/interfaces.conf

Expected Scenario: The IP should be 172.7.0.3.

3. Verify the ACL in the DNS server configuration page includes the LAN PC subnet:Expected Scenario: The subnet should be 172.7.0.0/24.

4. Check the DNS server details from the LAN PC:

resolvectl status

Expected Scenario: It should display 172.7.0.1 and 172.7.0.3.

5. Perform a DNS lookup from the LAN PC:

dig @172.7.0.3 amazon.com

Expected Scenario: The command should return a successful response with IPs for amazon.com.

If the request fails and mentions server unreachable, proceed to Step 6.

6. Perform a DNS lookup from the Edge Controller:

dig @172.7.0.3 amazon.com

Expected Scenario: The command should return a successful response with IPs for amazon.com.

7. If Step 5 fails but Step 6 works:This indicates the DNS server is configured correctly, but requests from the LAN PC are either not honored or not reaching the DNS server.

8. Verify DNS request visibility:Run the following command while performing Step 5:

tcpdump -i <LAN interface> port 53

If no DNS requests are seen from the LAN PC’s IP address, the firewall on the CPE might be blocking the DNS request.

9. Verify firewall rules:

iptables -t filter -L SYS_DNS -n -v

Expected Scenario: All required LAN subnets should be listed. If 172.7.0.0/24 is missing, firewall rules might be misconfigured.

Further Debugging:If firewall misconfiguration is suspected, check the script responsible for adding subnets to the SYS_DNS chain.