<div><div dir="auto">I'm running pdns-server, as you guessed. I only enabled recursion, because nslook complained when I hadn't enabled it.</div><div dir="auto">Would it be better to try to set up a recursor in front of pdns-server, and then disable recursion on the server?</div><br><div class="gmail_quote"><div>On Fri, 21 Jul 2017 at 16:48, Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 21/07/2017 15:21, Rune Sørensen wrote:<br>
> OK, dig outputs using the actual domain.<br>
The server 10.255.0.3 that you are running dig against: is it running<br>
pdns-server (the authoritative server), or pdns-recursor?<br>
<br>
If it's pdns-server, then I would not expect it to return any results<br>
for a domain other than those it's authoritative for. That's unless you<br>
have set the "recursor" option - have you done so?<br>
<br>
<a href="https://doc.powerdns.com/md/authoritative/recursion/" rel="noreferrer" target="_blank">https://doc.powerdns.com/md/authoritative/recursion/</a><br>
<br>
If it's pdns-recursor, then it should always send queries to the<br>
authoritative nameservers listed in NS records for the domains in<br>
question (i.e. cloudflare in this case), unless you have configured<br>
forward-zones.<br>
<br>
It seems to me that you are running the authoritative server.  The only<br>
oddball I can see is your case 3. Something, somewhere, is doing a<br>
recursive lookup to get the A records for <a href="http://bbc.co.uk" rel="noreferrer" target="_blank">bbc.co.uk</a>.<br>
<br>
I don't think it's cloudflare:<br>
<br>
$ dig @<a href="http://alan.ns.cloudflare.com" rel="noreferrer" target="_blank">alan.ns.cloudflare.com</a>. <a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>. cname<br>
<br>
; <<>> DiG 9.8.3-P1 <<>> @<a href="http://alan.ns.cloudflare.com" rel="noreferrer" target="_blank">alan.ns.cloudflare.com</a>. <a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>. cname<br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10682<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<br>
;; WARNING: recursion requested but not available<br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>.            IN    CNAME<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>.        300    IN    CNAME    <a href="http://bbc.co.uk" rel="noreferrer" target="_blank">bbc.co.uk</a>.<br>
<br>
;; Query time: 29 msec<br>
;; SERVER: 2400:cb00:2049:1::adf5:3b39#53(2400:cb00:2049:1::adf5:3b39)<br>
;; WHEN: Fri Jul 21 15:41:16 2017<br>
;; MSG SIZE  rcvd: 54<br>
<br>
$ dig @<a href="http://alan.ns.cloudflare.com" rel="noreferrer" target="_blank">alan.ns.cloudflare.com</a>. <a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>. a<br>
<br>
; <<>> DiG 9.8.3-P1 <<>> @<a href="http://alan.ns.cloudflare.com" rel="noreferrer" target="_blank">alan.ns.cloudflare.com</a>. <a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>. a<br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21446<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<br>
;; WARNING: recursion requested but not available<br>
<br>
;; QUESTION SECTION:<br>
;<a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>.            IN    A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://test3.flcn.io" rel="noreferrer" target="_blank">test3.flcn.io</a>.        300    IN    CNAME    <a href="http://bbc.co.uk" rel="noreferrer" target="_blank">bbc.co.uk</a>.<br>
<br>
;; Query time: 26 msec<br>
;; SERVER: 2400:cb00:2049:1::adf5:3b39#53(2400:cb00:2049:1::adf5:3b39)<br>
;; WHEN: Fri Jul 21 15:41:19 2017<br>
;; MSG SIZE  rcvd: 54<br>
<br>
So presumably it is at your side.  If you have recursion enabled in<br>
pdns-server, then I think you should move away from it - it has been<br>
removed in pdns-server 4.1.0 anyway.<br>
<br>
Regards,<br>
<br>
Brian.<br>
</blockquote></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr"><table>
                      <tbody><tr>
                          <td colspan="2">
                              <div>
                                  <span><strong>Rune Tor Sørensen</strong></span>
                              </div>
                              <div>
                                  <span>Site Reliability Engineer</span>
                              </div>
                          </td>
                      </tr>
                      <tr>
                          <td colspan="2">
                              <div>
                                  <a href="javascript:void(0);" value="+4531722097" target="_blank">+45 3172 2097</a>
                              </div>
                              
                              <div>
                                  <a href="https://www.linkedin.com/in/runets" target="_blank">LinkedIn</a>
                                  <a href="https://twitter.com/Areian" target="_blank">Twitter</a>
                              </div>
                          </td>
                      </tr>
                      
                    
                    
                      <tr>
                          <td>
                              <div><strong>Copenhagen</strong></div>
                              <div>Falcon.io Aps</div>
                              <div>H.C. Andersens Blvd. 27</div>
                              <div>1553 Copenhagen</div>
                              <div>CVR no.: 33362226</div>
                          </td>
                      </tr>
                      <tr>
                          <td colspan="2">
                              <div>
                                  <a href="https://www.falcon.io/?utm_source=Employee%20emails&utm_medium=email&utm_content=Rune%20Tor%20S%C3%B8rensen&utm_campaign=Mail%20signature" target="_blank">
                                      
                                      <img src="http://more.falcon.io/rs/154-TKC-606/images/falconio-black.png" alt="Falcon.io">
                                  </a>
                              </div>
                              <div>Meet Your Customers</div>
                          </td>
                      </tr>
                  </tbody></table></div></div>