CoreDNS Fails to Resolve Domain via Cloudflare Zero Trust Tunnel(Works Locally)

Zero Trust Cloudflare Tunnel
1

What is the name of the domain?

N/A

What is the error number?

N/A

What is the error message?

N/A

What is the issue you’re encountering

I am unable to resolve a specific domain (landisk-9562cd) when using Cloudflare Zero Trust.

What steps have you taken to resolve the issue?

Here is the translated content for the Cloudflare Community forum:

We have the following setup and issue:
・A PC in the internal network is running cloudflared in a Docker container (e.g., 192.168.24.227)
・Private Network:
・192.168.21.0/24
・192.168.24.0/24
・On the same PC, CoreDNS is also running in a Docker container
・The Corefile is as follows:

.:53 {
    errors
    log
    debug
    loop
    reload 5s

    hosts /opt/coredns/hosts {
        fallthrough
    }

    forward . 8.8.8.8
}

・The hosts file contains the following:

192.168.24.249 landisk-9562cd

・We want to resolve a specific domain (e.g., landisk-9562cd) using CoreDNS. Thus, we registered the following in the Local Domain Fallback:
・Domain: landisk-9562cd
・DNS Server: 192.168.24.227

Behavior

1.Without Zero Trust, the domain resolves correctly:

❯ dig landisk-9562cd @192.168.24.227

; <<>> DiG 9.10.6 <<>> landisk-9562cd @192.168.24.227
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29655
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;landisk-9562cd.                        IN      A

;; ANSWER SECTION:
landisk-9562cd.         3600    IN      A       192.168.24.249

;; Query time: 39 msec
;; SERVER: 192.168.24.227#53(192.168.24.227)
;; WHEN: Wed Nov 27 16:36:45 JST 2024
;; MSG SIZE  rcvd: 73

2.Through Zero Trust, the domain fails to resolve:

❯ dig landisk-9562cd

; <<>> DiG 9.10.6 <<>> landisk-9562cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20394
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=15: 00 16 55 70 73 74 72 65 61 6d 20 72 65 71 75 65 73 74 20 74 69 6d 65 64 20 6f 75 74 ("..Upstream request timed out")
;; QUESTION SECTION:
;landisk-9562cd.                        IN      A

;; Query time: 4001 msec
;; SERVER: 127.0.2.2#53(127.0.2.2)
;; WHEN: Wed Nov 27 16:37:18 JST 2024
;; MSG SIZE  rcvd: 75

We would appreciate any insights into why the domain fails to resolve when using Zero Trust and how to resolve this issue. Thank you!

2

In both behaviors, the CoreDNS logs show a status of NOERROR.

1.Without Zero Trust, the domain resolves correctly:

[INFO] 192.168.24.227:37123 - 43514 "A IN landisk-9562cd. udp 55 false 4096" NOERROR qr,aa,rd 62 0.000146551s

2.Through Zero Trust, the domain fails to resolve:

[INFO] 172.19.0.1:58635 - 23592 "A IN landisk-9562cd. udp 43 false 1232" NOERROR qr,aa,rd 62 0.000250787s
[INFO] 172.19.0.1:58551 - 24686 "A IN landisk-9562cd. udp 43 false 1232" NOERROR qr,aa,rd 62 0.000217842s
[INFO] 172.19.0.1:54260 - 13148 "A IN landisk-9562cd. udp 43 false 1232" NOERROR qr,aa,rd 62 0.000227141s
3

Try following this article here: Local Domain Fallback | Cloudflare Zero Trust docs
you may have to exclude your local domain fallback or include depending on your zerotrust setup