OVN dns server no tcp only udp and its timing out

mihail-igoshin · November 14, 2025, 2:05pm

Hello I have microcloud cluster and if you ask the ovn dns server answer correctly then times out.

All lxc containers have 2 NIC eth0 (bridged lxdbr1) and eth1 (OVN default).

OVN network 10.58.143.0/24 (no internet, only internal traffic) setup over internal hosts interfaces

bridged network 10.234.234.0/24 (internet without internal traffic) setup over public hosts interfaces

Unfortunately we cannot left only with the OVN set internet connectivity.

Yes the setup is weird but…

# host test2.lxd
test2.lxd has address 10.58.143.3
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached

via udp answer as should be:

root@test1:~# dig @10.55.0.1 test2.lxd A

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> @10.55.0.1 test2.lxd A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63522
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test2.lxd.			IN	A

;; ANSWER SECTION:
test2.lxd.		3600	IN	A	10.58.143.3

;; Query time: 0 msec
;; SERVER: 10.55.0.1#53(10.55.0.1) (UDP)
;; WHEN: Fri Nov 14 10:34:34 UTC 2025
;; MSG SIZE  rcvd: 52

via tcp times out

root@test1:~# dig +tcp  @10.55.0.1 test2.lxd A
;; Connection to 10.55.0.1#53(10.55.0.1) for test2.lxd failed: timed out.
;; no servers could be reached
;; Connection to 10.55.0.1#53(10.55.0.1) for test2.lxd failed: timed out.
;; no servers could be reached
;; Connection to 10.55.0.1#53(10.55.0.1) for test2.lxd failed: timed out.
;; no servers could be reached```

root@test1:~# nc 10.234.234.1 53 -v 
Connection to 10.234.234.1 53 port [tcp/domain] succeeded!

root@test1:~# nc 10.55.0.1 53 -v -w 10
nc: connect to 10.55.0.1 port 53 (tcp) timed out: Operation now in progress

root@test1:~# resolvectl status
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 150 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.234.234.1
       DNS Servers: 10.234.234.1

Link 152 (eth1)
    Current Scopes: DNS
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.58.143.1
       DNS Servers: 10.58.143.1
        DNS Domain: ~lxd

Jumbo frames are enabled and everything is fine with them. Even I’ve tried to reduce to 1442 and still same issues.

 lxc network show default 
name: default
description: ""
type: ovn
managed: true
status: Created
config:
  bridge.mtu: "8942"
  dns.domain: lxd
  ipv4.address: 10.58.143.1/24
  ipv4.nat: "false"
  ipv6.dhcp: "false"
  ipv6.nat: "false"
  network: UPLINK
  volatile.network.ipv4.address: 10.55.0.100

name: UPLINK
description: ""
type: physical
managed: true
status: Created
config:
  ipv4.gateway: 10.55.0.1/24
  ipv4.ovn.ranges: 10.55.0.100-10.55.0.254
  ipv4.routes: 10.58.143.0/24
  volatile.last_state.created: "false"

tomp · November 17, 2025, 2:56pm

DNS in OVN works by intercepting DNS requests and forwarding them to the specified DNS servers in the uplink network.

By default this is the ipv4.gateway setting, but it can be overriden if needed by setting dns.nameservers.

mihail-igoshin · November 17, 2025, 3:22pm

I’ve set dns.nameservers in UPLINK as 10.58.143.1, which is the OVN DNS, as far as I understand, and still the same timeouts. But again even with the default value should not timing out because is 10.55.0.1 which is the OVN network itself.

tomp · November 17, 2025, 3:37pm

Are you trying to route DNS requests back into the OVN network?

What is 10.58.143.0/24?

I’m not really following what you’re trying to achieve?

mihail-igoshin · November 17, 2025, 3:43pm

The issue is that when I try to resolve for example test2.lxd it resolves it but then continue with timeouts which in the end takes like 10 seconds for one dns resolve.

root@test1:~# host test2.lxd
test2.lxd has address 10.58.143.3
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached

I just described the entire setup above.

for .lxd is asking OVN which times out and for everything else is the bridge which is fine.

tomp · November 17, 2025, 3:55pm

Is this a cluster?

Can I see the output of lxc network show UPLINK --target=<cluster member> as your uplink network definition is missing a parent property.

mihail-igoshin · November 17, 2025, 4:12pm

Yes, it’s a cluster.

Here you go:

lxc network show UPLINK --target=lxc01
name: UPLINK
description: ""
type: physical
managed: true
status: Created
config:
  dns.nameservers: 10.58.143.1
  ipv4.gateway: 10.55.0.1/24
  ipv4.ovn.ranges: 10.55.0.100-10.55.0.254
  ipv4.routes: 10.58.143.0/24
  parent: br0
  volatile.last_state.created: "false"
used_by:
- /1.0/networks/default
locations:
- lxc04
- lxc05
- lxc01
- lxc02
- lxc03
project: default

br0 its the internal NIC between the nodes. It does not have network connectivity.

tomp · November 17, 2025, 4:33pm

Ah OK so your DNS server specified in dns.nameservers needs to be reachable from br0.

mihail-igoshin · November 17, 2025, 4:57pm

Oh, ok. Any ideas how to do this? Since by default, OVN is not reachable from the host network.

tomp · November 18, 2025, 9:05am

The OVN network architecture can be seen in this diagram:

https://documentation.ubuntu.com/lxd/latest/reference/network_ovn/#ovn-networking-architecture

The DNS requests emerge from the virtual router onto the physical uplink (in your case br0) and are sent to the IPs in dns.servers.

You would need to have a DNS server reachable from the br0 network.

Perhaps instead of connecting your DNS instance to lxdbr0 you could instead use a bridged NIC type on that instance to connect it to br0 directly via the parent setting and give it an IP on the uplink network.

See https://documentation.ubuntu.com/lxd/latest/reference/devices_nic/#device-nic-bridged-device-conf:parent

mihail-igoshin · November 18, 2025, 9:22am

I’m sorry, I got lost.

I have two interfaces for each container eth0, which is used for the internet, and eth1, which is the ovn network for internal connectivity between the containers. I do not use any where lxdbr0. I use lxdbr1 for internet and br0 fo internal connectivity which is rresposible for .lxd domain.

tomp · November 18, 2025, 10:50am

Now I’m confused

Maybe we should backup and I can ask what you are trying to achieve?

Why do the instances need to be connected to both a local bridge for internet and an ovn network without internet?

mihail-igoshin · November 18, 2025, 11:28am

Yeah, it’s a bit messy.

The microcloud cluster is in OVH, and OVH somehow blocks NAT. This is an official statement from OVH. The only way (as they say) to get internet access from containers is to buy additional IPs and attach them to the container…

However, I found a way to bypass that restriction by creating separate interfaces within the containers. A bridge attached from the host’s public/internet NIC and a second interface (OVH) with the parent internal NIC.

Because of that, I’m “forced” to use separate NICs within containers. One for the internet and one for internal communication.

Yes. I know it sounds ridiculous, but it is what it is.