pdns Version: 0.0.2081g7b9b55d (Master branch and version 4.1)
pdns-recursor Version: 0.0.1960g7b9b55d (Master branch and version 4.1)
dnsdist Version: 1.2.0
There are 3 servers with galera backend on two of themes there are pdns + pdns-recursor + dnsdist
Configs from one of them:
/etc/pdns-recursor/recursor.conf
setuid=pdns-recursor
setgid=pdns-recursor
local-address=127.0.0.1
local-port=5301
hint-file=/etc/pdns-recursor/root.zone
allow-from=127.0.0.0/8
/etc/pdns/pdns.conf
setuid=pdns
setgid=pdns
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdns_user
gmysql-dbname=powerdns
gmysql-password=
allow-axfr-ips=127.0.0.0/8, 192.0.2.5/32
cache-ttl=60
control-console=no
default-soa-name=ns2.example.ru
default-soa-mail=support@example.ru
default-ttl=3600
disable-axfr=no
local-port=5300
local-address=127.0.0.1
do-ipv6-additional-processing=yes
log-dns-queries=yes
logging-facility=0
loglevel=4
master=yes
max-queue-length=5000
max-tcp-connections=20
/etc/dnsdist/dnsdist.conf
setLocal('127.0.0.1')
addLocal('192.0.1.5')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('192.0.1.0/24')
recursive_ips:addMask('192.0.2.0/24')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
There are domains at the Authoritative server. e.g. google123.com
When i try to resolv this address from the IPs of allowed recursive_ips
including @127.0.0.1, get those:
# dig ANY google123.com @192.0.1.5
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> ANY google123.com @192.0.1.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54293
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google123.com. IN ANY
;; AUTHORITY SECTION:
com. 2118 IN SOA a.dns.ripn.net. hostmaster.ripn.net. 4032536 86400 14400 2592000 3600
;; Query time: 64 msec
;; SERVER: 192.0.1.5#53(192.0.1.5)
;; WHEN: Sat Jan 27 01:11:38 MSK 2018
;; MSG SIZE rcvd: 102
If I try to resolv this domain from another network – get those:
#dig ANY google123.com @192.0.1.5
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> ANY google123.com @192.0.1.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34025
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;google123.com. IN ANY
;; ANSWER SECTION:
google123.com. 86400 IN A 192.0.1.7
google123.com. 86400 IN NS ns1.example.ru.
google123.com. 86400 IN NS ns2.example.ru.
google123.com. 86400 IN SOA ns1.example.ru. hostmaster.example.ru. 2018012603 28800 7200 604800 86400
;; ADDITIONAL SECTION:
ns1.example.ru. 86400 IN A 192.0.1.5
ns2.example.ru. 86400 IN A 192.0.2.5
;; Query time: 3 msec
;; SERVER: 192.0.1.5#53(192.0.1.5)
;; WHEN: Fri Jan 26 23:16:29 CET 2018
;; MSG SIZE rcvd: 181
It seems, that recursor got answer and it`s OK.
How i can setup dnsdist to get answers about records of domains at Authoritative from IPs in recursive_ips
.
I tried different ways, but no one work.
Best Answer
Dnsdist will use the first matching action. With your config it will, depending on the source address, prefer the "recursor" pool, or otherwise use the "auth" pool. Ie, one or the other will be used to answer the current query, not some combination of the two.
Based on the results, it sounds like there is no delegation in place for the domains you have on pdns-auth, so when queries go to pdns-rec it has no way of resolving your local domains.
There are multiple ways of addressing this, depending on what the end goal actually is.
Options for making pdns-rec work with your domains
Generally sensible option: get delegations in place for your zones on pdns-auth (you'll need this for the rest of the world to be able to resolve your domains, anyway).
Alternative for local testing: configure pdns-rec with eg
forward-zones
to specifically tell it where to find your domains (egforward-zones=example.org=192.0.2.1, example.net=192.0.2.1
). This will obviously only work locally and may require configuring negative trust anchors (addNTA
in Lua configuration) if dnssec validation is enabled.Option for making dnsdist always send queries for your zones directly to pdns-auth
SuffixMatchNode
with all your zone names and combine it with your rules. I suppose you could do something likeaddAction(AndRule({ NetmaskGroupRule(recursive_ips), NotRule(SuffixMatchNodeRule(my_zones)) }), PoolAction('recursor'))
(or even just list the suffixes inline).