<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi Folks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Just having come confusion with the pdns-recursor forward-zones-file settings, which I will describe..<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Due to migrating to the newest versions of pdns and losing the recursor settings, I have been following the migration guide (<a href="https://doc.powerdns.com/authoritative/guides/recursion.html)">https://doc.powerdns.com/authoritative/guides/recursion.html)</a>,
scenario 2. We do plan on fully separating Auth and Recursion, but for now I need them both on the same IP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dnsdist (1.3.3) is configured on 53 and I have a list of allowed subnets for recursion, everyone else is sent to the authoritative .<o:p></o:p></p>
<p class="MsoNormal">pdns (4.1.5) is on localhost:5300<o:p></o:p></p>
<p class="MsoNormal">pdns-recursor (4.1.8) is on localhost:5301<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Externally, authoritative requests are working fine and dnsdist sends correctly to localhost:5300 and the response has the “aa” flag. All good.<o:p></o:p></p>
<p class="MsoNormal">Recursion is working fine from a whitelisted IP to external domains OK…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">dig @my-server bbc.co.uk<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @localhost bbc.co.uk<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">; (1 server found)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; global options: +cmd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; Got answer:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14732<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; OPT PSEUDOSECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">; EDNS: version: 0, flags:; udp: 4096<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; QUESTION SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;bbc.co.uk. IN A<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; ANSWER SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">bbc.co.uk. 300 IN A 151.101.128.81<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">bbc.co.uk. 300 IN A 151.101.0.81<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">bbc.co.uk. 300 IN A 151.101.64.81<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">bbc.co.uk. 300 IN A 151.101.192.81<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal">However, I can no longer get a response from any zone on my Auth server, as dnsdist see’s my IP as on the whitelist and keeps sending me to the recursor rather than the auth and so I get a fail. To work around this, my zones are also defined
in the pdns-recursor config in the forward-zone-file, which is included and correctly read on restart.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Example from forward-zones-file: tibus.net=127.0.0.1:5300 <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I can now query this zone OK from a whitelisted IP and get a response, however, I do not get “aa” flag, but instead “rd”.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">dig @my-server tibus.net<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">; <<>> DiG 9.9.5-3ubuntu0.15-Ubuntu <<>> @localhost tibus.net<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">; (1 server found)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; global options: +cmd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; Got answer:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21395<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; OPT PSEUDOSECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">; EDNS: version: 0, flags:; udp: 4096<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; QUESTION SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;tibus.net. IN A<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">;; ANSWER SECTION:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"">tibus.net. 1699 IN A 89.185.148.64<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">According to the documentation the zones listed in the forward-zone-file will only have the recursion-desired bit set if they are prefixed with a “+” (“Zones prefixed with a ‘+’ are forwarded with the recursion-desired bit set”) I do not
have this prefix, but yet the bit is set. Have I confused this settings meaning, misconfigured or should I be getting an “aa” flag?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Alun<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br><br></body>
</html>