trouble with unreliable DNS on cpanel
I help administer a Linode running Cpanel. All of the dns for our domains is hosted using the Linode dns manager. We are running Centos 7.9 and cpanel 98.0.6.
We're having a lot of trouble with cpanel resolving DNS names. When cpanel runs its DNS check script, we often get errors that one of the DNS servers isn't responding.
We have the Linode Network Helper enabled, so the system is using the Linode dns as it's default resolvers. Usually, only one of the resolvers is unresponsive, but occasionally, I lose DNS resolution altogether. A server reboot generally fixes this, but we need to figure out what's going on.
The system runs multiple sites, and over 200 mailman lists.
The Linode is hosted in the New Jersey data center.
Does anyone have any ideas? This is extremely inconsistent, which is frustrating to troubleshoot.
Although I don't know anything about cPanel, I suspect your problem is that the cPanel scripts are a bit too brittle. Here's why:
DNS normally uses UDP port 53. UDP stands for unreliable datagram protocol. Unreliable means just that…you send off the request and hope that the recipient gets it and hope that you get a reply back. My suspicion is that whoever at cPanel that wrote the scripts in question didn't understand this and the script is giving up too quickly.
This would certainly explain the intermittent-ness of your problem. Also, periodically, DNS will use TCP port 53 if it needs to (big packets, etc). You need to make sure that BOTH UDP/TCP port 53 are open in your firewall. If UDP/53 is open and TCP/53 is closed, that could cause intermittent failures.
but occasionally, I lose DNS resolution altogether
Really? If your Linode is having issues (as opposed to cPanel having issues), that's a support-ticket level problem. DNS should work just like getting water from the tap. However, if it turns out that it's just cPanel having issues, you're on your own.
Most (if not all) Linuxen (as well as all BSDs) use unbound as their DNS name resolver. It replaced BIND (Berkeley Internet Name Daemon) some time ago. I believe Linode configures this up you automagically when you spin up a new Linode from a Linode-supplied distro. The cPanel installation may have mucked with unbound's configuration (not good). If you contact support about this, they can help you with resolving any issues. This is tricky stuff…best to call in a professional…
IMHO, the plan of attack on this would be:
- Look at your firewall (easy).
- Look at the cPanel scripts (maybe you can make them use TCP/53 for whatever it is they do).
- Contact Linode support.
I hope this helps. I understand how frustrating stuff like this can be…
I did open up a ticket with Linode, but I was told this was out of the scope of support. I'm in a situation where cpanel and Linode are saying it's the other one's problem.