OneFS distributed file system 8.2: If using short name/Literal instead of fully qualified domain name (FQDN), SmartConnect refuses queries
Summary: SmartConnect refuses any queries unless the fully qualified domain name (FQDN) is used.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
When short names are configured in a network pool's zone name or zone alias without a corresponding fully qualified domain name (FQDN) that matches and SmartConnect is queried for an FQDN, the response is REFUSED.
Example:
ID SC Zone Allocation Method
---------------------------------------------------
groupnet0.subnet0.pool0 smb static
---------------------------------------------------
Total: 1
warlock-1# nslookup smb 192.1XX.1.X9
Server: 192.1XX.1.X9
Address: 192.1XX.1.X9#53
** server can't find smb.isilon.com: REFUSED
It is common practice for clients to append a search suffix (domain name) when performing a DNS lookup. For example, a user may try to connect to an Isilon device using the hostname "smb", yet the client machine appends the search suffix to the end of the name automatically, such as "isilon.com". A capture showing the lookup from client to DNS to Isilon shows the query using an FQDN. If the network pool does not contain an FQDN that matches, then SmartConnect refuses this query.
What is corresponding FQDN with a short name? This would mean that you may have a zone name that is configured as "smb" and no other aliases. A corresponding FQDN would mean that you also have "smb.isilon.com" listed in the pool's configuration as a Zone Alias.
Example:
OneFS Upgrade Pre-Check:
This may show up in the upgrade health check from a cluster running a OneFS version before 8.2. Oftentimes there is confusion as the SC Zone is already an FQDN. Ensuring there is a corresponding FQDN zone name in the same pool meets the requirements for resolution and the upgrade can continue.
The following are some scenarios that you might see:
Scenario 1) Network pool is configured with short name only and there is no corresponding FQDN that matches the short name.
- A query for "smb" matches the zone name "smb" and have a successful response.
- A query for "smb.isilon.com" does not match "smb" and is REFUSED.
Scenario 2) Network pool is configured with FQDN only and there is no corresponding short name that matches the FQDN.
- A query for "smb" partially matches the zone name "smb.isilon.com" and have a successful response.
- A query for "smb.isilon.com" matches the zone name "smb.isilon.com" and have a successful response.
Scenario 3) Network pool is configured with both FQDN and short name.
- A query for "smb" matches the zone name "smb" and have a successful response.
- A query for "smb.isilon.com" matches the zone name "smb.isilon.com" and have a successful response.
Example:
ID SC Zone Allocation Method
---------------------------------------------------
groupnet0.subnet0.pool0 smb static
---------------------------------------------------
Total: 1
warlock-1# nslookup smb 192.1XX.1.X9
Server: 192.1XX.1.X9
Address: 192.1XX.1.X9#53
** server can't find smb.isilon.com: REFUSED
It is common practice for clients to append a search suffix (domain name) when performing a DNS lookup. For example, a user may try to connect to an Isilon device using the hostname "smb", yet the client machine appends the search suffix to the end of the name automatically, such as "isilon.com". A capture showing the lookup from client to DNS to Isilon shows the query using an FQDN. If the network pool does not contain an FQDN that matches, then SmartConnect refuses this query.
What is corresponding FQDN with a short name? This would mean that you may have a zone name that is configured as "smb" and no other aliases. A corresponding FQDN would mean that you also have "smb.isilon.com" listed in the pool's configuration as a Zone Alias.
Example:
isi-1# isi network pools list -v
ID: groupnet0.subnet0.pool0
Groupnet: groupnet0
Subnet: subnet0
Name: pool0
Rules: rule0
Access Zone: System
Allocation Method: static
Aggregation Mode: lacp
SC Suspended Nodes: -
Description: Initial ext-1 pool
Ifaces: 1:ext-1, 2:ext-1, 3:ext-1
IP Ranges: 192.168.1.20-192.168.1.25
Rebalance Policy: auto
SC Auto Unsuspend Delay: 0
SC Connect Policy: round_robin
SC Zone: smb
SC DNS Zone Aliases: smb.isilon.com <<<<<<<<<<<<< Corresponding FQDN to "smb"
SC Failover Policy: round_robin
SC Subnet:
SC TTL: 0
Static Routes: -
NOTE: This issue does not apply to clients or users trying to connect to Isilon with a short name due to search suffix and varying client configurations.OneFS Upgrade Pre-Check:
This may show up in the upgrade health check from a cluster running a OneFS version before 8.2. Oftentimes there is confusion as the SC Zone is already an FQDN. Ensuring there is a corresponding FQDN zone name in the same pool meets the requirements for resolution and the upgrade can continue.
The following are some scenarios that you might see:
Scenario 1) Network pool is configured with short name only and there is no corresponding FQDN that matches the short name.
- A query for "smb" matches the zone name "smb" and have a successful response.
- A query for "smb.isilon.com" does not match "smb" and is REFUSED.
Scenario 2) Network pool is configured with FQDN only and there is no corresponding short name that matches the FQDN.
- A query for "smb" partially matches the zone name "smb.isilon.com" and have a successful response.
- A query for "smb.isilon.com" matches the zone name "smb.isilon.com" and have a successful response.
Scenario 3) Network pool is configured with both FQDN and short name.
- A query for "smb" matches the zone name "smb" and have a successful response.
- A query for "smb.isilon.com" matches the zone name "smb.isilon.com" and have a successful response.
Cause
When a network pool is configured for a short name, SmartConnect compares the query name (sent from DNS) to the zone name literal. However, clients joined to a domain appends the domain to the end of the short name, this query is sent to the DNS for lookup. When the DNS server queries SmartConnect for the FQDN, the comparison fails because the FQDN and the short name do not match as we make no assumptions about the search suffix on the cluster.
Note: The search suffix for a Groupnet does not apply for SmartConnect query responses.
Note: The search suffix for a Groupnet does not apply for SmartConnect query responses.
Resolution
Option 1)
Change the zone name to the FQDN for all zone/zone alias names in all pools.
Example:
Option 2)
Create an alias of the short name which includes the FQDN:
If groupnet0 dns search domains include isilon.com and test.foobar.com, we should have:
SUPERNA EYEGLASS:
In cases of Superna Eyeglass and igls-ignore, a workaround is to change the aliases to FQDNs for the update and revert them to igls-ignore afterwards.
EDGE CASE:
As an extreme edge case, the following can be done on the client until the network pool configuration can be permanently changed to FQDN. This only works in specific cases and may not work around all cases. The specific case includes a client that is directly connected to the SSIP as a DNS server. This allows direct contact from the client to the cluster where an application can perform the A record lookup. This is not a typical solution and must only be considered under this type of situation. Another solution does not be found, instead the pool must be changed to use FQDN when possible.
Not Working:
Change the zone name to the FQDN for all zone/zone alias names in all pools.
Example:
ID SC Zone Allocation Method
---------------------------------------------------
groupnet0.subnet0.pool0 smb.isilon.com static
---------------------------------------------------
---------------------------------------------------
groupnet0.subnet0.pool0 smb.isilon.com static
---------------------------------------------------
Option 2)
Create an alias of the short name which includes the FQDN:
If groupnet0 dns search domains include isilon.com and test.foobar.com, we should have:
# isi network pools modify groupnet0.subnet0.pool0 --add-sc-dns-zone-aliases smb.isilon.com --add-sc-dns-zone-aliases smb.test.foobar.com
This change for the SC Zone names and the SC Zone Aliases to the FQDN must be done to both the SC Zone name and the Alias even though the above example only shows an SC Zone FQDN example. SUPERNA EYEGLASS:
In cases of Superna Eyeglass and igls-ignore, a workaround is to change the aliases to FQDNs for the update and revert them to igls-ignore afterwards.
EDGE CASE:
As an extreme edge case, the following can be done on the client until the network pool configuration can be permanently changed to FQDN. This only works in specific cases and may not work around all cases. The specific case includes a client that is directly connected to the SSIP as a DNS server. This allows direct contact from the client to the cluster where an application can perform the A record lookup. This is not a typical solution and must only be considered under this type of situation. Another solution does not be found, instead the pool must be changed to use FQDN when possible.
- Change client's DNS server to use the SSIP.
- Add a period (".") to the end of the short name to use it as a root domain. This avoids appending any search domains to the short name in which the SmartConnect service responds.
Not Working:
C:\Users\Administrator>nslookup pipeline 192.1XX.1.2XX Server: UnKnown Address: 192.1XX.1.2XX *** UnKnown can't find pipeline: Query refused Working:
C:\Users\Administrator>nslookup pipeline. 192.1XX.1.2XX Server: UnKnown Address: 192.1XX.1.2XX Name: pipeline Address: 192.1XX.1.2XX This is not a permanent solution and the network pools should be updated to use FQDN as soon as available.
Additional Information
In the documentation for "8.2 Web Administration Guide", it explicitly states that you must use FQDN as the zone name under section "SmartConnect Module" > "SmartConnect zones and aliases".
https://support.emc.com/docu93698_OneFS-8.2.0-Web-Administration-Guide.pdf?language=en_US
"You can configure a SmartConnect DNS zone name for each IP address pool. The zone name must be a fully qualified domain name. SmartConnect requires that you add a new name server (NS) record that references the SmartConnect service IP address in the existing authoritative DNS zone that contains the cluster. Also, provide a zone delegation to the fully qualified domain name (FQDN) of the SmartConnect zone in your DNS infrastructure."
What does this mean: Use an FQDN when connecting using zone name to the cluster in ALL versions of OneFS. Short names may work, however, this is not recommended and the client must use the FQDN to investigate issues.
https://support.emc.com/docu93698_OneFS-8.2.0-Web-Administration-Guide.pdf?language=en_US
"You can configure a SmartConnect DNS zone name for each IP address pool. The zone name must be a fully qualified domain name. SmartConnect requires that you add a new name server (NS) record that references the SmartConnect service IP address in the existing authoritative DNS zone that contains the cluster. Also, provide a zone delegation to the fully qualified domain name (FQDN) of the SmartConnect zone in your DNS infrastructure."
What does this mean: Use an FQDN when connecting using zone name to the cluster in ALL versions of OneFS. Short names may work, however, this is not recommended and the client must use the FQDN to investigate issues.
Products
Isilon SmartConnectArticle Properties
Article Number: 000173410
Article Type: Solution
Last Modified: 07 Jun 2021
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.