OAG is not able to resolve the backend application domain, despite all the DNS lookups being successful. Even nslookup from the shell was able to resolve when provided with configured DNS servers on the appliance.
The following error has been noticed in the NGINX status:
2023-08-29T19:19:49.000-07:00 localhost ACCESS_GATEWAY WEB_CONSOLE Command:[/opt/oag/bin/checkNginxConf.sh] Exit: 1 Out:HOST_NOTFOUND|
nginx: [emerg] host not found in upstream "okta.testurl.com" in /etc/nginx/conf.d/icsgw_app_<id>.active.conf:121
nginx: configuration file /opt/oag/nginx/conf/nginx.conf test failed
Through nslookup:
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find okta.testurl.com: NXDOMAIN
When used with a configured DNS server, nslookup was able to resolve successfully:
Server: 10.0.0.44
Address: 10.0.0.44#53
Non-authoritative answer:
Name: okta.testurl.com
Address: 10.0.0.55
- Okta Access Gateway (OAG)
Unbound was picking the old DNS entries from /opt/oag/configs/unbound/config/unbound.conf that does not have details on the backend resolution. The file has the old entry at the fourth position, and the DNS list in the management console only shows three. It was an unexpected behavior that cannot be reproduced, so the root cause is unknown at the time this article was written.
- Make sure all the configured DNS entries shows up in management console can resolve the backend host. If there are any DNS servers unable to resolve then customer will either needs to remove that entry OR engage their N/W team to update DNS entries.
- Check
/opt/oag/configs/unbound/config/unbound.confon the appliance if there are more than threeforward-addrdirective.- Remove the unwanted entries of "forward-addr" if there are discrepancies with the ones showing up in management console.
- Reload unbound and nginx.
sudo systemctl reload okta-unbound
sudo systemctl reload okta-nginx
