[Pdns-users] Recursor / pdns installation help
Leen Besselink
leen at consolejunkie.net
Tue Dec 21 09:01:55 UTC 2010
On 12/21/2010 03:03 AM, Patrick Coffin wrote:
> Hi,
>
> This is the first time posting to this board. If I am posting to the
> wrong list, sorry, and please advise where I should post this request
> for assistance.
>
> We are setting up a new installation of pdns and recursor.
>
> We have been running pdns for a couple years without issue. I am
> attempting to implement recursor and pdns to avoid a potential DOS
> attack and pass security compliance, which under the current version I
> am running will not pass.
>
> Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5
> environment. Each with their own mysql slave db. Al l works great
> except for the DOS issue.
>
> I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a
> Centos 5.5 box and I now pass security compliance, but am not getting
> the expected responses on DNS queries.
>
> I setup recursor to respond on port 53 and pdns to respond on 5300.
>
> recursor.conf entries
> # forward-zones=
> forward-zones=x.x.x.x:5300
Hi,
I'm not quiet sure what you are trying to do, but I think forward-zones
needs 1 or more domainnames:
http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS
If it is just a few (or just the important) domains, that would work. If
it is an ever changing 1000's. Then this is not what you are looking for.
If security is your concern, it is normally not recommended to mix your
recursor with your authoritive nameserver on the same IP-address anyway.
So I suggest you don't.
But if you really want to, you can have pdns check the database first
before trying to resolve the request recursively, in that case you swap
them around (pdns on port 53 and pdns-recursor on port 5300) and use
these setting:
recursor=
allow-recursion=
http://doc.powerdns.com/all-settings.html
Hope that helps.
Have a nice day,
Leen.
> local-port=53
>
> pdns.conf entries
> local-address=x.x.x.x
> local-port=5300
>
> If I query on a domain using dig I get the following error. "dig
> mytestdomain.com <http://mytestdomain.com> @ns5
>
> ------------------
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> mytestdomain.com
> <http://mytestdomain.com> @ns5
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18559
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ; mytestdomain.com <http://mytestdomain.com>.INA
>
> ;; Query time: 6 msec
> ;; SERVER: 209.3.87.44#53(209.3.87.44)
> ;; WHEN: Mon Dec 20 17:55:34 2010
> ;; MSG SIZE rcvd: 28
> ------------------
>
> logs output -
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: Resolved 'mytestdomain.com.' NS
> ns5.mydomain. to: xx.xx.xx.xx
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: Trying IP xx.xx.xx.xx:53, asking
> 'mytestdomain.com.|A'
> Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from
> packet cache from xx.xx.xx.xx
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: Got 0 answers from ns5.mydomain.net.
> (xx.xx.xx.xx), rcode=0, in 3ms
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: determining status after receiving this packet
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: status=noerror, other types may exist, but
> we are done
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: Starting additional processing
> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
> <http://mytestdomain.com>.: Done with additional processing
> Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question
> 'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0
> throttled, 0 timeouts, 0 tcp connections, rcode=0
> Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from
> packet cache from xx.xx.xx.xx
>
> It looks as if it is trying the local dns server on 53, but it is not
> getting a reply. Also I do not see any queries hitting the database.
>
> If any additional information is needed, LMK
>
> Any help would be appreciated.
>
> Thanks,
>
> Patrick
>
>
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list