Discussion:
[Pdns-users] Recursor to Respond Authoritatively for all Queries
Asanka Gunasekara
2018-10-17 07:43:33 UTC
Permalink
Hi All,

Appreciate if you can provide me with some insights on how to get this to work.

I am currently using PDNS 4.1.X branch servers and have configure the auth server + recursor according to this setup under 1st scenario:

https://doc.powerdns.com/authoritative/guides/recursion.html


The issue I currently have is that when I test the records via intodns.com or some other DNS check servers they report back saying lame servers.

Under recursor.conf, I have the following two lines basically forwarding all queries to the authoritative server.
forward-zones=.=127.0.0.1:5300
forward-zones-recurse=.=127.0.0.1:5300

Is there a way to configure the recursor to answer authoritatively for all queries? Say for example via Lua script with setAA() function perhaps?

Kind Regards,
Asanka Gunasekara

P: 1300 825 587
E: ***@talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/]
Postal Address: PO Box 24, Varsity Lakes QLD 4227

Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Brian Candler
2018-10-17 08:02:47 UTC
Permalink
Post by Asanka Gunasekara
The issue I currently have is that when I test the records via
intodns.com or some other DNS check servers they report back saying
lame servers.
Under recursor.conf, I have the following two lines basically
forwarding all queries to the authoritative server.
forward-zones=.=127.0.0.1:5300
forward-zones-recurse=.=127.0.0.1:5300
Is there a way to configure the recursor to answer authoritatively for
all queries? Say for example via Lua script with setAA() function perhaps?
No - I'm afraid you can't do it this way.  Your authoritative server
must be bound to port 53 if it's accepting queries from the outside world.

You options are:

1. Run your recursor and authoritative server bound to two different IP
addresses (or in separate VMs or containers with their own IPs)

or

2. Don't list your authoritative server in the NS records, and instead
use it as a "hidden primary".  That is, you have two or more additional
nameservers on public IPs, which are listed in NS records, and they get
their zone content from the hidden primary (either by a zone transfer
from x.x.x.x:5300, or by database replication)

Final note: please don't use forward-zones to forward all queries to an
authoritative server, since it's not authoritative for the whole
Internet.  You should rarely need forward-zones at all: as long as the
NS records for your domain point to your authoritative servers, the
recursor will find them by itself.  Forward-zones are normally used for
private domains which can't be delegated (e.g. localhost,
168.192.in-addr.arpa)

HTH,

Brian.
Asanka Gunasekara
2018-10-17 09:19:08 UTC
Permalink
Hi Brian,

Thanks for the quick response.

Let me try to explain why I am running this setup to give some information and possibly find a better alternative way.

We have several resolvers/recursors installed for clients/systems use and they're working as intended.

The authoritative server has a private zone. Authoritative server should respond/answer for queries to this private domain if they originated from a select list of IP addresses. And authoritative server should respond/answer for queries for all other domains normally.

The reason for forwarding all requests to the Authoritative server is due to the fact that this combo server should not be a public resolver/recursor.

Hope this gives more information to understand the setup.

Thanks again for your help.

Kind Regards,
Asanka Gunasekara

P: 1300 825 587
E: ***@talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/]
Postal Address: PO Box 24, Varsity Lakes QLD 4227

Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses.
Post by Asanka Gunasekara
The issue I currently have is that when I test the records via
intodns.com or some other DNS check servers they report back saying
lame servers.
Under recursor.conf, I have the following two lines basically
forwarding all queries to the authoritative server.
forward-zones=.=127.0.0.1:5300
forward-zones-recurse=.=127.0.0.1:5300
Is there a way to configure the recursor to answer authoritatively for
all queries? Say for example via Lua script with setAA() function perhaps?
No - I'm afraid you can't do it this way. Your authoritative server
must be bound to port 53 if it's accepting queries from the outside world.

You options are:

1. Run your recursor and authoritative server bound to two different IP
addresses (or in separate VMs or containers with their own IPs)

or

2. Don't list your authoritative server in the NS records, and instead
use it as a "hidden primary". That is, you have two or more additional
nameservers on public IPs, which are listed in NS records, and they get
their zone content from the hidden primary (either by a zone transfer
from x.x.x.x:5300, or by database replication)

Final note: please don't use forward-zones to forward all queries to an
authoritative server, since it's not authoritative for the whole
Internet. You should rarely need forward-zones at all: as long as the
NS records for your domain point to your authoritative servers, the
recursor will find them by itself. Forward-zones are normally used for
private domains which can't be delegated (e.g. localhost,
168.192.in-addr.arpa)

HTH,

Brian.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Brian Candler
2018-10-17 11:27:10 UTC
Permalink
Post by Asanka Gunasekara
The authoritative server has a private zone. Authoritative server
should respond/answer for queries to this private domain if they
originated from a select list of IP addresses. And authoritative
server should respond/answer for queries for all other domains normally.
When you say "all other domains", do you mean your authoritative server
is hosting authoritative information for some public domains as well? 
Or only the private domain.
Post by Asanka Gunasekara
The reason for forwarding all requests to the Authoritative server is
due to the fact that this combo server should not be a public
resolver/recursor.
Authoritative servers are not resolvers.  So if you are hosting public
domains, the server needs to be on a public IP address and answer on
port 53.

If you are *only* hosting private domains, then the combination you have
shown (resolver on port 53, authoritative on port 5300) will work.  The
resolver should *only* forward the private domains to the authoritative
server.  Indeed, this server can sit on a private IP address if you like.

Since the authoritative server is not available from the outside world,
and is not on the standard port 5300, an external DNS tester service
will not work.

Sending *authoritative* queries to a *recursor* is wrong.

Regards,

Brian.
Asanka Gunasekara
2018-10-17 14:58:05 UTC
Permalink
Hi Brian,

Thanks for taking the time to explain this to me. 

Yes, this server hosts other public domains and I agree what I have done is wrong. 

Now, my question is, is there a way for me to serve two different addresses for records depending on the interface the request came from? This way I might be able to reply with private IPs for internal requests and a different IP for external requests.

On Wed, 17 Oct 2018, 16:57 Brian Candler, <***@pobox.com [mailto:***@pobox.com]> wrote:

On 17/10/2018 12:19, Asanka Gunasekara wrote:

The authoritative server has a private zone. Authoritative server should respond/answer for queries to this private domain if they originated from a select list of IP addresses. And authoritative server should respond/answer for queries for all other domains normally.

When you say "all other domains", do you mean your authoritative server is hosting authoritative information for some public domains as well?  Or only the private domain.


The reason for forwarding all requests to the Authoritative server is due to the fact that this combo server should not be a public resolver/recursor.
Authoritative servers are not resolvers.  So if you are hosting public domains, the server needs to be on a public IP address and answer on port 53.
If you are *only* hosting private domains, then the combination you have shown (resolver on port 53, authoritative on port 5300) will work.  The resolver should *only* forward the private domains to the authoritative server.  Indeed, this server can sit on a private IP address if you like.

Since the authoritative server is not available from the outside world, and is not on the standard port 5300, an external DNS tester service will not work.
Sending *authoritative* queries to a *recursor* is wrong.

Regards,
Brian.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Brian Candler
2018-10-17 15:49:28 UTC
Permalink
Post by Asanka Gunasekara
Now, my question is, is there a way for me to serve two different
addresses for records depending on the interface the request came
from? This way I might be able to reply with private IPs for internal
requests and a different IP for external requests.
You could have two different auth servers: one with the internal view,
one with the external.  On your recursor you woud forward the domain to
the internal auth server.

I'm afraid I don't know if there's a better way than that with
PowerDNS.  I strongly avoid split DNS because of all the problems it causes.
Loading...