<div dir="ltr"><div><div><div><div>Thank you, Brian<br><br></div>I'm not too worried about PowerDNS and Cloudflare not being in sync, as the only records we care about in Cloudflare are short lived _acme-challenge TXT records, and we have a process running that make sure those stay synced :)<br><br></div>Also thank you to David, for poiting me to the guide.<br><br></div>Moving the recursor from the PowerDNS server to the dedicated recursor service, with a forward rule for internal domain, solved the problem.<br></div>I'm still not sure why the recursor functionality within the PowerDNS server acted the way it did, but it is of little concern since the functionality is being removed :)<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table>
<tbody><tr>
<td colspan="2">
<div>
<span><strong>Rune Tor Sørensen</strong></span>
</div>
<div>
<span>Site Reliability Engineer</span>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<div>
<a href="tel:+4531722097" value="+4531722097" target="_blank">+45 3172 2097</a>
</div>
<div>
<a href="https://www.linkedin.com/in/runets" target="_blank">LinkedIn</a>
<a href="https://twitter.com/Areian" target="_blank">Twitter</a>
</div>
</td>
</tr>
<tr>
<td>
<div><strong>Copenhagen</strong></div>
<div>Falcon.io Aps</div>
<div>H.C. Andersens Blvd. 27</div>
<div>1553 Copenhagen</div>
<div>CVR no.: 33362226</div>
</td>
</tr>
<tr>
<td colspan="2">
<div>
<a href="https://www.falcon.io/?utm_source=Employee%20emails&utm_medium=email&utm_content=Rune%20Tor%20S%C3%B8rensen&utm_campaign=Mail%20signature" target="_blank">
<img src="http://more.falcon.io/rs/154-TKC-606/images/falconio-black.png" alt="Falcon.io">
</a>
</div>
<div>Meet Your Customers</div>
</td>
</tr>
</tbody></table></div></div></div>
<br><div class="gmail_quote">On Sun, Jul 23, 2017 at 8:41 AM, Brian Candler <span dir="ltr"><<a href="mailto:b.candler@pobox.com" target="_blank">b.candler@pobox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div class="m_4072664765129802550moz-cite-prefix">On 23/07/2017 08:23, Rune Sørensen
wrote:<br>
</div>
<blockquote type="cite">It
might be a strange setup, but we are trying to have a PowerDNS
server that acts as the authoritative name server for <a href="http://flcn.io" target="_blank">flcn.io</a>
for clients on our network, while Cloudflare DNS acts as the
authoritative DNS for everyone else.</blockquote>
</span><p>The recommended way to do this with powerdns is:<br>
</p>
<p>1. Run an instance (or two) of pdns-recursor on your local
network. Point your clients at it.</p>
<p>2. Run a separate instance (or two) of pdns-server, authoritative
for <a href="http://flcn.io" target="_blank">flcn.io</a></p>
<p>3. On your pdns-recursor, configure:</p>
<p># /etc/powerdns/recursor.conf<br>
forward-zones-file=/etc/<wbr>powerdns/forward-zones</p>
<p># /etc/powerdns/forward-zones<br>
<a href="http://flcn.io" target="_blank">flcn.io</a>=x.x.x.x # or x.x.x.x, x.x.x.y</p>
<p>Your instance of pdns-server can be on the same physical box as
pdns-recursor but listening on a different port, e.g. 5300. In
that case:</p>
<p># /etc/powerdns/forward-zones<br>
<a href="http://flcn.io" target="_blank">flcn.io</a>=<a href="http://127.0.0.1:5300" target="_blank">127.0.0.1:5300</a></p>
This approach is useful if you want to have reverse DNS for private
addresses:<br>
<br>
10.in-addr.arpa=<a href="http://127.0.0.1:5300" target="_blank">127.0.0.1:5300</a><br>
168.192.in-addr.arpa=<a href="http://127.0.0.1:5300" target="_blank">127.0.0.<wbr>1:5300</a><br>
<br>
However in general, I find split DNS like this to be more trouble
than it's worth. Eventually you'll have hard-to-diagnose problems
where everything looks OK for your internal users but your external
users have a problem (or vice versa), due to the zones not being in
sync. To avoid this I would put all private addresses into a
separate sub-domain, e.g. "<a href="http://int.flcn.io" target="_blank">int.flcn.io</a>", which is not delegated on
the Internet.<br>
<br>
It's also worth knowing something about pdns-recursor: it is
optimised for very high query rates in an ISP environment. To
achieve this it has a separate "packet cache", so that if it sees
the exact same query packet, it answers the same way as before.<br>
<br>
What this means is that if client A and client B send slightly
different packets (e.g. with different DNS options, such as from
different versions of "dig"), A and B are answered from two
different cache entries. In the time where a record has changed,
and one cache entry has expired but the other has not, this can mean
A and B see different replies. If this bothers you, you can turn
off the packet cache.<br>
<a class="m_4072664765129802550moz-txt-link-freetext" href="https://doc.powerdns.com/md/recursor/settings/#disable-packetcache" target="_blank">https://doc.powerdns.com/md/<wbr>recursor/settings/#disable-<wbr>packetcache</a><br>
<br>
Cheers,<br>
<br>
Brian.<br>
</div>
</blockquote></div><br></div>