<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>This all finally makes sense. Thank you very much Brian, big
time.<br>
</p>
<br>
<div class="moz-cite-prefix">On 13.11.2017 11:01, Brian Candler
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7dfbb6cf-d81b-41b6-6211-98e8adcd6c75@pobox.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="moz-cite-prefix">On 13/11/2017 09:50, Mislav |
SysAdmin wrote:<br>
</div>
<blockquote type="cite"
cite="mid:36504c83-2544-79ad-1b63-11fb73496993@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Yes, "ns1.private.ch" is a made-up name, that's correct. I'm
running Debian 9 with pdns-recursor-server installed via apt,
version 4.1.0-rc2.<br>
<br>
Before I do all the tests you mentioned, let me explain my
setup, I think there is something wrong there - I configured
"allow-recursion" inside pdns.conf (so pdns_server), I didn't
define anything inside recursor.conf - I took this configuration
from old environment where we were running version 3.1. (also
same problem there, but since I can't receive support on 3.1, we
decided to migrate to 4.1) I read somewhere this should be
possible to define in pdns.conf since certain version (option
allow-recursion) and if I don't define there my IP, I'm not able
to recurse at all. But I also see now in docs this is removed in
4.1.0? <br>
<br>
</blockquote>
<br>
There are two types of DNS server: recursive/caching servers
(which clients talk to), and authoritative servers (which contain
the actual zone information, and which the recursive/caching
servers talk to).<br>
<br>
Clients are statically configured with the IP address(es) of local
recursive/caching servers.<br>
<br>
NS records point to the hostnames of authoritative servers (which
in turn resolve to the IP addresses of the authoritative servers).<br>
<br>
If you want to run both types of server, then you should be
running them on different IP addresses. Don't make your
authoritative server be recursive - that is bad practice, and
causes various problems as you've found, which is why it has been
removed entirely from the pdns authoritative server.<br>
<br>
For resilience, you will want two local recursive servers. If you
are serving your own zone information then you will also need at
least two authoritative servers, but one should be local and one
should be remote on a completely different Internet backbone (see
RFC2182)<br>
<br>
<blockquote type="cite"
cite="mid:36504c83-2544-79ad-1b63-11fb73496993@gmail.com"> Shall
I try to configure this somehow on recursor.conf? My pdns_server
is currently listening on publicIP on port 53 and recursor is
listening on 127.0.0.1 on port 53. Please note that both are on
same IP / same server. I also noticed that if I do such this:<br>
<blockquote type="cite"># netstat -tlpn | grep 53<br>
tcp 0 0 127.0.0.1:53
0.0.0.0:* LISTEN 1036/pdns_recursor<br>
<br>
# nslookup <a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>
127.0.0.1<br>
Server: 127.0.0.1<br>
Address: 127.0.0.1#53<br>
<br>
Non-authoritative answer:<br>
<a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>
canonical name =
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.<br>
Name:
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com<br>
Address: 52.58.17.141<br>
Name:
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com</blockquote>
<br>
directly on the server, it works.</blockquote>
<br>
Yes, it works because you are sending the client query to the
recursive server (pdns_recursor), which is its job.<br>
<br>
<blockquote type="cite"
cite="mid:36504c83-2544-79ad-1b63-11fb73496993@gmail.com"> But
when I do it from outside, it doesn't work. </blockquote>
<br>
Because you are sending a recursive query to an authoritative
server, which is not its job (albeit older versions of the
authoritative server *did* have a recursor option you could turn
on)<br>
<br>
<blockquote type="cite"
cite="mid:36504c83-2544-79ad-1b63-11fb73496993@gmail.com">So,
from my understanding, it works internally, because I do recurse
from 127.0.0.1 and that goes through pdns_recursor, but if I do
it from outside, recursing goes through pdns_server and that is
the problem.<br>
<br>
</blockquote>
Yes.<br>
<br>
Bind them to two different external IP addresses; point your
clients at the recursor; and point your NS records at the
authoritative server.<br>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-size: 12px;">
Srdacan pozdrav | Best regards<br>
Mislav Orsolic | sysadmin<br>
<a href="https://www.mislav.eu" target="_blank">https://www.mislav.eu</a>
/ <a href="https://www.linkedin.com/in/mislavorsolic"
target="_blank">https://www.linkedin.com/in/mislavorsolic</a>
</p>
<span style="color:#c0c0c0">___________________________________________<br>
</span>
<p style="font-family: Arial, Helvetica, Verdana; font-size: 12px;
margin-top: 2px; color:#444;">
<strong>T </strong> +385 91 444 0275<br>
<strong>Skype:</strong> mislav.orsolic<br>
</p>
</div>
</body>
</html>