<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
I am using PowerDNS Recursor 5.0.3 and I am trying to use forward
all zones towards dns0 which block malicious domains and return
NXDOMAIN. Unfortunately for some domains I would like to use
different forwarders than dns0 and get normal dns answer(e.g.
forwarders 8.8.8.8:53).<br>
<br>
I tried to configure forward-zones and add zone to use 8.8.8.8
instead of dns0 unfortunatelly it always respond with NXDOMAIN or
SERFFAIL.<br>
<br>
My configuration:<br>
recursor.yml:<br>
"<br>
incoming:<br>
allow_from:<br>
- 192.168.0.0/24<br>
listen:<br>
- 192.168.0.100<br>
pdns_distributes_queries: true<br>
logging:<br>
loglevel: 3<br>
quiet: true<br>
recordcache:<br>
max_ttl: 86400<br>
recursor:<br>
config_dir: /etc/powerdns<br>
forward_zones_file: /etc/powerdns/zones.yml<br>
hint_file: /usr/share/dns/root.hints<br>
include_dir: /etc/powerdns/recursor.d<br>
lua_config_file: /etc/powerdns/recursor.lua<br>
"<br>
<br>
zones.yml:<br>
"<br>
- zone: 'liveaqest.live'<br>
forwarders:<br>
- 8.8.8.8:53<br>
recurse: true<br>
- zone: '.'<br>
forwarders:<br>
- 193.110.81.0:53<br>
- 185.253.5.0:53<br>
"<br>
<br>
recursor.lua:<br>
"<br>
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")<br>
"<br>
<br>
When I try `dig liveaqest.live @192.168.0.100` I get:<br>
"<br>
; <<>> DiG 9.18.24 <<>> liveaqest.live
@192.168.0.100<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:
65094<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 512<br>
;; QUESTION SECTION:<br>
;liveaqest.live. IN A<br>
<br>
;; Query time: 39 msec<br>
;; SERVER: 192.168.0.100#53(192.168.0.100) (UDP)<br>
;; WHEN: Tue Apr 23 17:31:22 CEST 2024<br>
;; MSG SIZE rcvd: 43<br>
"<br>
<br>
And I can see in tcpdump that pdns-recursor got correct answer from
google dns but it looks like it got something from dns0 dns as well
and returned servfail. This one domain is only example and when
tested for multiple domains that are blocked by dns0 and not by
google it always behaved like this. Also domains that got first
CNAME and then A record.<br>
tcpdump:<br>
"<br>
17:31:22.071802 IP 192.168.0.101.41941 > pdns-recursor.domain:
65094+ [1au] A? liveaqest.live. (55)<br>
17:31:22.072588 IP pdns-recursor.55092 > dns.google.domain:
5457+% [1au] A? liveaqest.live. (43)<br>
17:31:22.090703 IP dns.google.domain > pdns-recursor.55092: 5457
2/0/1 A 188.114.97.3, A 188.114.96.3 (75)<br>
17:31:22.091020 IP pdns-recursor.52908 > dns0.eu.domain: 55841
[1au] DS? live. (33)<br>
17:31:22.095823 IP dns0.eu.domain > pdns-recursor.52908: 55841$
0/14/1 (530)<br>
17:31:22.096001 IP pdns-recursor.25826 > dns0.eu.domain: 28404
[1au] DS? live. (33)<br>
17:31:22.099646 IP pdns-recursor.34244 > 10.35.21.1.domain:
26987+ PTR? 101.0.164.192.in-addr.arpa. (42)<br>
17:31:22.100761 IP dns0.eu.domain > pdns-recursor.25826: 28404$
0/14/1 (530)<br>
17:31:22.101142 IP pdns-recursor.domain > 192.168.0.101.41941:
65094 ServFail 0/0/1 (43)<br>
"<br>
<br>
Is it possible to use forward-zones as allow list and block list
together? I thought that it is going from top to botton of this
zones.yml file and if found match it use those forwarders. Not both
of them together. <br>
Is there way for this to make it happen with pdns-recursor settings
or some custom lua script?<br>
<br>
Thank you for any help.<br>
<div class="moz-signature">
<p style="margin-bottom: 17px; font-family: helvetica;"><strong>Jan
Gardian</strong></p>
<p style="font-size: 5px;"> </p>
</div>
</body>
</html>