<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Leen,<div><br></div><div>Thanks for the reply. We are hosting 1000's of dns records so entering them in the forwards is not at option.</div><div><br></div><div>I will take your advise to split the pdns and recursor to separate servers.</div><div><br></div><div>Should I expect that if I move the pdns to a separate server that the looks up will work correctly with the information I have given? I would move pdns back to port 53 and keep it connected to mysql for lookups.</div><div><br></div><div>I would like it to be setup that recursor queries the pdns server and database if we are authoritative for the domain. Otherwise recursor should looks to the authoritative server for the answer.</div><div><br></div><div>Is there another resource that I can reference for this setup? I believe I am just missing one or two pieces to get it working properly.<br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div class="signature" style="width: 600px; "><font face="Verdana, Arial, Helvetica, sans-serif" style="font-size: 11px; line-height: 16px; "><br>I appreciate the help!</font></div><div class="signature" style="width: 600px; "><font face="Verdana, Arial, Helvetica, sans-serif" style="font-size: 11px; line-height: 16px; "><br>Thanks,<br>Patrick</font></div><div class="signature" style="width: 600px; "><font class="Apple-style-span" face="Verdana, Arial, Helvetica, sans-serif"><span class="Apple-style-span" style="line-height: 16px;"><br></span></font></div></div></div></span></div></span></div></span></div></span></div></span></span>
</div>
<br><div><div>On Dec 21, 2010, at 1:01 AM, <a href="mailto:pdns-users-request@mailman.powerdns.com">pdns-users-request@mailman.powerdns.com</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Verdana; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">Message: 4<br>Date: Tue, 21 Dec 2010 10:01:55 +0100<br>From: Leen Besselink <<a href="mailto:leen@consolejunkie.net">leen@consolejunkie.net</a>><br>Subject: Re: [Pdns-users] Recursor / pdns installation help<br>To:<span class="Apple-converted-space"> </span><a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a><br>Message-ID: <<a href="mailto:4D106D03.2050605@consolejunkie.net">4D106D03.2050605@consolejunkie.net</a>><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>On 12/21/2010 03:03 AM, Patrick Coffin wrote:<br><blockquote type="cite">Hi,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">This is the first time posting to this board. If I am posting to the<br></blockquote><blockquote type="cite">wrong list, sorry, and please advise where I should post this request<br></blockquote><blockquote type="cite">for assistance.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">We are setting up a new installation of pdns and recursor.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">We have been running pdns for a couple years without issue. I am<br></blockquote><blockquote type="cite">attempting to implement recursor and pdns to avoid a potential DOS<br></blockquote><blockquote type="cite">attack and pass security compliance, which under the current version I<br></blockquote><blockquote type="cite">am running will not pass.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5<br></blockquote><blockquote type="cite">environment. Each with their own mysql slave db. Al l works great<br></blockquote><blockquote type="cite">except for the DOS issue.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a<br></blockquote><blockquote type="cite">Centos 5.5 box and I now pass security compliance, but am not getting<br></blockquote><blockquote type="cite">the expected responses on DNS queries.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I setup recursor to respond on port 53 and pdns to respond on 5300.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">recursor.conf entries<br></blockquote><blockquote type="cite"># forward-zones=<br></blockquote><blockquote type="cite">forward-zones=x.x.x.x:5300<br></blockquote><br>Hi,<br><br>I'm not quiet sure what you are trying to do, but I think forward-zones<br>needs 1 or more domainnames:<br><br><a href="http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS">http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS</a><br><br>If it is just a few (or just the important) domains, that would work. If<br>it is an ever changing 1000's. Then this is not what you are looking for.<br><br>If security is your concern, it is normally not recommended to mix your<br>recursor with your authoritive nameserver on the same IP-address anyway.<br>So I suggest you don't.<br><br>But if you really want to, you can have pdns check the database first<br>before trying to resolve the request recursively, in that case you swap<br>them around (pdns on port 53 and pdns-recursor on port 5300) and use<br>these setting:<br><br>recursor=<br>allow-recursion=<br><br><a href="http://doc.powerdns.com/all-settings.html">http://doc.powerdns.com/all-settings.html</a><br><br>Hope that helps.<br><br>Have a nice day,<br>Leen.<br><br><blockquote type="cite">local-port=53<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">pdns.conf entries<br></blockquote><blockquote type="cite">local-address=x.x.x.x<br></blockquote><blockquote type="cite">local-port=5300<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">If I query on a domain using dig I get the following error. "dig<br></blockquote><blockquote type="cite"><a href="http://mytestdomain.com/">mytestdomain.com</a><span class="Apple-converted-space"> </span><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>> @ns5<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">------------------<br></blockquote><blockquote type="cite">; <<>> DiG 9.6.0-APPLE-P2 <<>><span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>> @ns5<br></blockquote><blockquote type="cite">;; global options: +cmd<br></blockquote><blockquote type="cite">;; Got answer:<br></blockquote><blockquote type="cite">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18559<br></blockquote><blockquote type="cite">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">;; QUESTION SECTION:<br></blockquote><blockquote type="cite">;<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><span class="Apple-converted-space"> </span><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.INA<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">;; Query time: 6 msec<br></blockquote><blockquote type="cite">;; SERVER: 209.3.87.44#53(209.3.87.44)<br></blockquote><blockquote type="cite">;; WHEN: Mon Dec 20 17:55:34 2010<br></blockquote><blockquote type="cite">;; MSG SIZE rcvd: 28<br></blockquote><blockquote type="cite">------------------<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">logs output -<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: Resolved 'mytestdomain.com.' NS<br></blockquote><blockquote type="cite">ns5.mydomain. to: xx.xx.xx.xx<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: Trying IP xx.xx.xx.xx:53, asking<br></blockquote><blockquote type="cite">'mytestdomain.com.|A'<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from<br></blockquote><blockquote type="cite">packet cache from xx.xx.xx.xx<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: Got 0 answers from<span class="Apple-converted-space"> </span><a href="http://ns5.mydomain.net/">ns5.mydomain.net</a>.<br></blockquote><blockquote type="cite">(xx.xx.xx.xx), rcode=0, in 3ms<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: determining status after receiving this packet<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: status=noerror, other types may exist, but<br></blockquote><blockquote type="cite">we are done<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: Starting additional processing<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: [3]<span class="Apple-converted-space"> </span><a href="http://mytestdomain.com/">mytestdomain.com</a><br></blockquote><blockquote type="cite"><<a href="http://mytestdomain.com/">http://mytestdomain.com</a>>.: Done with additional processing<br></blockquote><blockquote type="cite">Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question<br></blockquote><blockquote type="cite">'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0<br></blockquote><blockquote type="cite">throttled, 0 timeouts, 0 tcp connections, rcode=0<br></blockquote><blockquote type="cite">Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from<br></blockquote><blockquote type="cite">packet cache from xx.xx.xx.xx<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">It looks as if it is trying the local dns server on 53, but it is not<br></blockquote><blockquote type="cite">getting a reply. Also I do not see any queries hitting the database.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">If any additional information is needed, LMK<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Any help would be appreciated.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Patrick<br></blockquote></span><br class="Apple-interchange-newline"></blockquote></div><br></div></body></html>