<div dir="ltr"><div dir="ltr"><div dir="ltr">thank you for your response. The case is more complex. There are two strictly separated DNS servers, one for internal and one for external hosts. For security reasons, external DNS resolution is generally prohibited. Only selected servers (such as the proxy) can access the external DNS in a separate network security zone. Therefore, it is not just classic split horizon, because a hostname is (or should be) available only in one of the zones, not in both.<br><br>The solution I’m trying to find is to build a separate server for this single proxy server that can resolve a hostname without knowing which zone is responsible for it. Please check if the following approach will work:<br><br>Configure RPZ with internal records (*.<a href="http://example.com">example.com</a> pointing to internal IPs).<br>When an internal hostname is queried, RPZ overrides the normal resolution and provides the internal answer.<br>If a record is not in RPZ, the DNS resolver forwards the request to 8.8.8.8.<br>External records (*.<a href="http://example.com">example.com</a> not in RPZ) resolve normally via Google DNS.<br><br>Should I maintain RPZ records on this auxiliary server for internal hosts manually? My understanding is that RPZ only overrides responses and does not forward queries for unknown records.<br><br>Thank you for your assistance.</div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, Feb 7, 2025 at 11:54 AM Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div>On 07/02/2025 10:31, Pavel Prostin via
Pdns-users wrote:<br>
</div>
<blockquote type="cite"><br>
I’m trying to configure the PowerDNS recursor to failover on
NXDOMAIN. Here is the scenario:<br>
<br>
There are two DNS zones: internal and external. The problem is
that *.<a href="http://example.com" target="_blank">example.com</a>
can either be used for an internal or an external host, and thus
the record can exist on any DNS server.<br>
<br>
Possible workaround: A client tries to resolve the hostname using
the primary (internal) DNS first. If the internal DNS server has
no record or cannot resolve the host because it is external and
returns NXDOMAIN (non-existent domain), a second request is then
made to the alternate (external) DNS server (this is not the
secondary DNS fallback) to resolve the domain/host.<br>
<br>
I understand that this approach is not RFC-compliant and is not
the recommended solution (e.g., using .<a href="http://internal.example.com" target="_blank">internal.example.com</a>
for internal hosts). However, I attempted to implement it using a
custom LUA script (see below), which unfortunately does not work
as intended.<br>
<br>
Is the intended solution feasible and scalable?</blockquote>
<p>I don't think it is. However, if you are forced to use split DNS
in your environment (meaning that <a href="http://foo.example.com" target="_blank">foo.example.com</a> resolves
differently for internal and external users), I can offer a better
alternative.</p>
<p>On your internal recursor, use a Response Policy Zone (RPZ) to
set the responses which should be seen for *.<a href="http://example.com" target="_blank">example.com</a> for
internal users. Then any names which are not listed here will
automatically fall through to the external domain.</p>
<p>I've done this successfully with bind9. I've never tried it with
pdns-recursor but it appears to be fully supported:<br>
</p>
<p><a href="https://doc.powerdns.com/recursor/lua-config/rpz.html" target="_blank">https://doc.powerdns.com/recursor/lua-config/rpz.html</a><br>
</p>
<p>HTH,</p>
<p>Brian.<br>
</p>
</div>
</blockquote></div>