<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hi all,</div><div><br></div><div>While doing a tcpdump of DNS traffic to determine if also-notify was working I noticed root queries being received by an internal authoritative server that I wasn’t expecting. And according to the DNSdist configuration I don’t think I should be seeing these either. So I think I need some help making sense of it all.</div><div><br></div><div>I run FreeIPA as authoritative for zones of internal (sub.)domains. There are two PowerDNS recursors fronted by two DNSdist machines. The desired logic is as follows:</div><div><br></div><div><ul class="MailOutline"><li>Both DNSdist servers forward all requests to the primary PowerDNS server. For now ignore I have two, they’re identical and uses are the primary and secondary DNS servers for everything that needs a dns server.</li><ul class="MailOutline"><li>DNSdist servers have a mgmt IP and a service IP:</li><ul class="MailOutline"><li>Service IP bound to DNSdist: 10.0.1.13</li><li>Mgmt. IP, not bound to DNSdist: 10.0.2.13</li></ul></ul><li>The second PowerDNS-recursor is backup</li><li>The IPA server(s) should only be used for updates (by IPA-clients)</li></ul><div><br></div></div><div><div><font face="Courier New">-- define downstream servers, aka backends</font></div><div><font face="Courier New">newServer({address="10.0.1.11", name="rns00", useProxyProtocol=true})</font></div><div><font face="Courier New">newServer({address="10.0.1.12", name="rns01", pool={"backup"}, useProxyProtocol=true})</font></div><div><font face="Courier New">newServer({address="10.0.0.10", name="ipa0", pool={"auth"}})</font></div><div><font face="Courier New">newServer({address="10.0.0.11", name="ipa1", pool={"auth"}})</font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New">-- Send queries to default pool when servers are available</font></div><div><font face="Courier New">addAction(PoolAvailableRule(""), PoolAction(""))</font></div><div><font face="Courier New">-- Send queries to fallback pool if not</font></div><div><font face="Courier New">addAction(AllRule(), PoolAction("backup"))</font></div><div><font face="Courier New">-- Send UPDATES to IPA</font></div><div><font face="Courier New">addAction(AndRule({OpcodeRule(DNSOpcode.Update)}), PoolAction("auth"))</font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New">-- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE</font></div><div><font face="Courier New">----addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))</font></div><div><font face="Courier New">-- Refuse incoming AXFR, IXFR and NOTIFY</font></div><div><font face="Courier New">addAction(OrRule({OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))</font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New">-- Drop incoming requests with X-Proxied-For fields</font></div><div><font face="Courier New">addAction(RecordsTypeCountRule(DNSSection.Additional, 65280, 1, 65535), DropAction())</font></div></div><div><br></div><div>The tcpdump shows repeated queries for a.root-servers.net:</div><div><br></div><div><div><font face="Courier New">IP 10.0.2.13.42939 > 10.0.0.10.domain: 19831+ A? a.root-servers.net. (36)</font></div><div><font face="Courier New">IP 10.0.0.10.domain > 10.0.2.13.42939: 19831 1/0/0 A 198.41.0.4 (52)</font></div></div><div><br></div><div>This is a DNS query from the server running DNSdist, from an IP address that DNSdist doesn’t listen on. I assume DNSdist just uses whatever source address the OS deems suitable for egress traffic, which in my case would indeed be 10.0.2.13.</div><div><br></div><div>So my questions are:</div><div><br></div><div><ul class="MailOutline"><li>Why are A queries sent to the IPA server, when only UPDATE queries should be sent there?</li><li>Why the repeated queries? I see repeated A record lookups for <a href="http://a.root-servers.net">a.root-servers.net</a> from both DNSdist servers and both PowerDNS-recursors. I would expect at least the recursors to cache these requests.</li><li>How do I fix the DNSdist behaviour? Should I move the primary DNS server into a pool? None of the failover examples I’ve seen show the primary DNS servers in a named pool.</li></ul></div><br><div>
<meta charset="UTF-8"><div>— <br>Thanks,<br><b>Djerk Geurts</b><br></div>
</div>
<br></body></html>