<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Yes, "ns1.private.ch" is a made-up name, that's correct. I'm running
Debian 9 with pdns-recursor-server installed via apt, version
4.1.0-rc2.<br>
<br>
Before I do all the tests you mentioned, let me explain my setup, I
think there is something wrong there - I configured
"allow-recursion" inside pdns.conf (so pdns_server), I didn't define
anything inside recursor.conf - I took this configuration from old
environment where we were running version 3.1. (also same problem
there, but since I can't receive support on 3.1, we decided to
migrate to 4.1) I read somewhere this should be possible to define
in pdns.conf since certain version (option allow-recursion) and if I
don't define there my IP, I'm not able to recurse at all. But I also
see now in docs this is removed in 4.1.0? <br>
<br>
Shall I try to configure this somehow on recursor.conf? My
pdns_server is currently listening on publicIP on port 53 and
recursor is listening on 127.0.0.1 on port 53. Please note that both
are on same IP / same server. I also noticed that if I do such this:<br>
<blockquote type="cite"># netstat -tlpn | grep 53<br>
tcp 0 0 127.0.0.1:53
0.0.0.0:* LISTEN 1036/pdns_recursor<br>
<br>
# nslookup <a class="moz-txt-link-abbreviated" href="http://www.mobile-universe.ch">www.mobile-universe.ch</a> 127.0.0.1<br>
Server: 127.0.0.1<br>
Address: 127.0.0.1#53<br>
<br>
Non-authoritative answer:<br>
<a class="moz-txt-link-abbreviated" href="http://www.mobile-universe.ch">www.mobile-universe.ch</a> canonical name =
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.<br>
Name: elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com<br>
Address: 52.58.17.141<br>
Name: elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com</blockquote>
<br>
directly on the server, it works. But when I do it from outside, it
doesn't work. So, from my understanding, it works internally,
because I do recurse from 127.0.0.1 and that goes through
pdns_recursor, but if I do it from outside, recursing goes through
pdns_server and that is the problem.<br>
<br>
<br>
<div class="moz-cite-prefix">On 13.11.2017 10:30, Brian Candler
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9942e28e-d24b-7c27-cc4f-a0e46640a646@pobox.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="moz-cite-prefix">On 13/11/2017 09:05, Mislav |
SysAdmin wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01983bce-d6ed-03f0-b451-8694b72d7dd0@gmail.com">Hi.
I've noticed some problems with CNAME resolving on our pdns
server. Here is the example: <br>
<blockquote type="cite" style="color: #000000;">$ nslookup
mobile-universe.ch ns1.private.ch <br>
Server: ns1.private.ch <br>
Address: private#53 <br>
<br>
Non-authoritative answer: <br>
Name: mobile-universe.ch <br>
Address: 18.194.35.161 <br>
<br>
$ nslookup <a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>
ns1.private.ch <br>
Server: ns1.private.ch <br>
Address: private#53 <br>
<br>
** server can't find <a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>:
NXDOMAIN </blockquote>
</blockquote>
<br>
So I'm guessing that "ns1.private.ch" is a made-up name, right?
But this is running pdns-recursor? Which version?<br>
<br>
Resolving that name works for me using pdns-recursor
4.0.6-1pdns.xenial under Ubuntu 16.04:<br>
<br>
<tt># dig @192.168.5.53 <a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>
a</tt><tt><br>
</tt><tt><br>
</tt><tt>; <<>> DiG 9.8.1-P1 <<>>
@192.168.5.53 <a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>
a</tt><tt><br>
</tt><tt>; (1 server found)</tt><tt><br>
</tt><tt>;; global options: +cmd</tt><tt><br>
</tt><tt>;; Got answer:</tt><tt><br>
</tt><tt>;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 26749</tt><tt><br>
</tt><tt>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
ADDITIONAL: 0</tt><tt><br>
</tt><tt><br>
</tt><tt>;; QUESTION SECTION:</tt><tt><br>
</tt><tt>;www.mobile-universe.ch. IN A</tt><tt><br>
</tt><tt><br>
</tt><tt>;; ANSWER SECTION:</tt><tt><br>
</tt><tt><a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>.
3600 IN CNAME
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.</tt><tt><br>
</tt><tt>elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.
60 IN A 52.58.17.141</tt><tt><br>
</tt><tt>elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.
60 IN A 52.57.147.203</tt><tt><br>
</tt><tt><br>
</tt><tt>;; Query time: 504 msec</tt><tt><br>
</tt><tt>;; SERVER: 192.168.5.53#53(192.168.5.53)</tt><tt><br>
</tt><tt>;; WHEN: Mon Nov 13 09:21:37 2017</tt><tt><br>
</tt><tt>;; MSG SIZE rcvd: 142</tt><br>
<br>
<br>
So something must be different on your side, although I can't
think why you'd get NXDOMAIN rather than SRVFAIL.<br>
<br>
I suggest you turn on tracing for the <tt>mobile-universe.ch</tt>
and <tt>eu-central-1.elb.amazonaws.com</tt> domains, clear the
cache for those domains, and then do the query again. See:<br>
<br>
<a moz-do-not-send="true"
href="https://doc.powerdns.com/recursor/running.html#tracing-queries">https://doc.powerdns.com/recursor/running.html#tracing-queries<br>
</a><a moz-do-not-send="true"
href="https://doc.powerdns.com/recursor/running.html#cache-management">https://doc.powerdns.com/recursor/running.html#cache-management<br>
</a><br>
You could also tcpdump all the DNS traffic which it sends during
that time.<br>
<br>
FYI, here is where the authoritative servers are:<br>
<p><tt>$ dig +trace <a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>.
a</tt><tt><br>
</tt><tt><br>
</tt><tt>...</tt><tt><br>
</tt><tt><br>
</tt><tt>mobile-universe.ch. 3600 IN NS
ns1a.plentymarkets.eu.</tt><tt><br>
</tt><tt>mobile-universe.ch. 3600 IN NS
ns2a.plentymarkets.eu.</tt><tt><br>
</tt><tt>;; Received 94 bytes from 130.59.31.41#53(130.59.31.41)
in 115 ms</tt><tt><br>
</tt><tt><br>
</tt><tt><a class="moz-txt-link-abbreviated"
href="http://www.mobile-universe.ch" moz-do-not-send="true">www.mobile-universe.ch</a>.
3600 IN CNAME
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.</tt><tt><br>
</tt><tt>com. 3600 IN SOA ns1.com.
hostmaster.com. 3 86400 10800 3600000 172800</tt><tt><br>
</tt><tt>;; Received 161 bytes from
185.61.8.110#53(185.61.8.110) in 31 ms</tt><tt><br>
</tt></p>
<p><tt><br>
</tt></p>
<p><tt>$ dig +trace
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com. a</tt></p>
<p><tt>...</tt></p>
<p><tt>elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.
60 IN A 52.58.17.141</tt><tt><br>
</tt><tt>elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com.
60 IN A 52.57.147.203</tt><tt><br>
</tt><tt>eu-central-1.elb.amazonaws.com. 1800 IN NS
ns-1326.awsdns-37.org.</tt><tt><br>
</tt><tt>eu-central-1.elb.amazonaws.com. 1800 IN NS
ns-1689.awsdns-19.co.uk.</tt><tt><br>
</tt><tt>eu-central-1.elb.amazonaws.com. 1800 IN NS
ns-417.awsdns-52.com.</tt><tt><br>
</tt><tt>eu-central-1.elb.amazonaws.com. 1800 IN NS
ns-613.awsdns-12.net.</tt></p>
<p>And all four AWS nameservers agree on the results: none is
giving NXDOMAIN.<br>
</p>
<p><tt># for i in ns-1326.awsdns-37.org. ns-1689.awsdns-19.co.uk.
ns-417.awsdns-52.com. ns-613.awsdns-12.net.; do echo "=== $i
==="; dig +short @$i
elb-front-92-10-617833872.eu-central-1.elb.amazonaws.com. a;
done</tt><tt><br>
</tt><tt>=== ns-1326.awsdns-37.org. ===</tt><tt><br>
</tt><tt>52.58.17.141</tt><tt><br>
</tt><tt>52.57.147.203</tt><tt><br>
</tt><tt>=== ns-1689.awsdns-19.co.uk. ===</tt><tt><br>
</tt><tt>52.57.147.203</tt><tt><br>
</tt><tt>52.58.17.141</tt><tt><br>
</tt><tt>=== ns-417.awsdns-52.com. ===</tt><tt><br>
</tt><tt>52.57.147.203</tt><tt><br>
</tt><tt>52.58.17.141</tt><tt><br>
</tt><tt>=== ns-613.awsdns-12.net. ===</tt><tt><br>
</tt><tt>52.58.17.141</tt><tt><br>
</tt><tt>52.57.147.203</tt></p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-size: 12px;">
Srdacan pozdrav | Best regards<br>
Mislav Orsolic | sysadmin<br>
<a href="https://www.mislav.eu" target="_blank">https://www.mislav.eu</a>
/ <a href="https://www.linkedin.com/in/mislavorsolic"
target="_blank">https://www.linkedin.com/in/mislavorsolic</a>
</p>
<span style="color:#c0c0c0">___________________________________________<br>
</span>
<p style="font-family: Arial, Helvetica, Verdana; font-size: 12px;
margin-top: 2px; color:#444;">
<strong>T </strong> +385 91 444 0275<br>
<strong>Skype:</strong> mislav.orsolic<br>
</p>
</div>
</body>
</html>