<div dir="auto"><div>Hi,</div><div dir="auto"><br></div><div dir="auto">Thanks for the tip - I actually tried that but was not able to get any working lua on the dnsdist side. Might have to consult the dnsdist mailing list about on howto use this "setRD".</div><div dir="auto"><br></div><div dir="auto">Cheers,</div><div dir="auto">OA<br><br><div class="gmail_quote gmail_quote_container" dir="auto"><div dir="ltr" class="gmail_attr">la 5. huhtik. 2025 klo 8.36 Otto Moerbeek <<a href="mailto:otto@drijf.net">otto@drijf.net</a>> kirjoitti:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, Apr 04, 2025 at 09:25:04PM +0300, Olli Attila via Pdns-users wrote:<br>
<br>
Hi,<br>
<br>
I think setting the RD flag in dnsdist using<br>
<a href="https://www.dnsdist.org/reference/dq.html?highlight=rd#DNSHeader:setRD" rel="noreferrer noreferrer" target="_blank">https://www.dnsdist.org/reference/dq.html?highlight=rd#DNSHeader:setRD</a><br>
on the requests forwarded to the recursor should work and get you the<br>
old behaviour back. I don't see why that would not be acceptable. If<br>
the recursor has a (non-recursive) forward for the name queried, it<br>
will consult the cache and, if needed, query the forwarding target<br>
(that query wil not have the RD flag set). After that postresolve() is<br>
called if present.<br>
<br>
That should get you your old behaviour back, unless I'm missing<br>
something.<br>
<br>
-Otto<br>
<br>
> Hello all,<br>
> <br>
> <br>
> <br>
> After upgrading from dns-recursor 4.8.x -> 5.2.0 I noticed this happened:<br>
> <br>
> <br>
> <br>
> Recursor 4.9.x changelog (4.9.0-alpha1 Improvements):<br>
> <br>
> "Change the way RD=0 forwarded queries are handled.<br>
> References: pull request 12425 <<a href="https://github.com/PowerDNS/pdns/pull/12425" rel="noreferrer noreferrer" target="_blank">https://github.com/PowerDNS/pdns/pull/12425</a>><br>
> "<br>
> <br>
> Related PR: <a href="https://github.com/PowerDNS/pdns/pull/12594" rel="noreferrer noreferrer" target="_blank">https://github.com/PowerDNS/pdns/pull/12594</a><br>
> <br>
> I am using a setup in a custom environment where dnsdist is taking in<br>
> queries and routing them through a pdns recursor which is forwarding the<br>
> queries to pdns authoritative dns server. The recursor in between is doing<br>
> forwarding to auth server and is responsible of mangling the returned DNS<br>
> record data that the authoritative server returns. This so called<br>
> "mangling" is done because on some cases I need to alter the NAPTR response<br>
> depending the orginal source of the query. A sort of dns view if one would<br>
> like to use that kind of name for this behaviour.<br>
> <br>
> Client side DNS component (which behaviour I can't unfortunately change) is<br>
> always sending the query with RD bit set to "0" towards dnsdist ip and<br>
> therefore after dnsdist has routed the query to the recursor, the 5.2.0<br>
> recursor is now refusing to forward the queries to authoritative servers<br>
> (REFUSED is returned). This was working on the pdns recursor 4.8.x. Now<br>
> that I need that mangling in between dnsdist and auth servers (at least for<br>
> the time being), what would be the options to achieve this after the 5.2.0<br>
> recursor upgrade on this kind of setup?<br>
> <br>
> Observations / thoughts on different options:<br>
> <br>
> - Dnsdist does not seem to support the same kind of postresolve lua like<br>
> the recursor component (=Altering returned NAPTR content with regexp. There<br>
> is an example at the end of my mail). I have not succeeded in making it<br>
> behave the same way. Also the dirty trick of making the dnsdist to force RD<br>
> from 0 to 1 is off the table I think (for allowing the recursor to recurse<br>
> to auth servers after dnsdist). This would be kind of a hack if even<br>
> possible?<br>
> - Im under the impression that Pdns authoritative server (what I use<br>
> here as auth) is not either capable of doing this kind of mangling for the<br>
> returned NAPTR records. Please correct me if I'm wrong with this.<br>
> - On recursor config there is this new parameter "allow-no-rd" which was<br>
> introduced in 5.0.0 but to use this in an effective way I should be having<br>
> all the auth server data in the recursors internal cache and then after the<br>
> response, do the mangling as before with the lua magic? Having to sync the<br>
> data from auth servers to the recursors cache seems quite weird but if<br>
> someone has thoughts on this, Im all ears.<br>
> <br>
> <br>
> <br>
> For the mangling of the NAPTR I'm doing this kind of thing on the recursor<br>
> now (which I would hope to preserve somehow):<br>
> <br>
> function postresolve(dq)<br>
> <br>
> local records = dq:getRecords()<br>
> <br>
> local modified = false<br>
> <br>
> for k, v in pairs(records) do<br>
> <br>
> if v.type == pdns.NAPTR and string.find(v:getContent(), "foo.bar")<br>
> then<br>
> <br>
> local originalContent = v:getContent()<br>
> <br>
> local one, two, three = string.match(v:getContent(),<br>
> "(.*)@(.*)bar(.*)")<br>
> <br>
> if one and two and three then<br>
> <br>
> v:changeContent(one .. "@newfoo.bar" .. three)<br>
> <br>
> modified = true<br>
> <br>
> end<br>
> <br>
> originalContent = v:getContent()<br>
> <br>
> end<br>
> <br>
> end<br>
> <br>
> if modified then<br>
> <br>
> dq:setRecords(records)<br>
> <br>
> end<br>
> <br>
> return true<br>
> <br>
> End<br>
> <br>
> <br>
> <br>
> <br>
> Cheers,<br>
> <br>
> OA<br>
<br>
> _______________________________________________<br>
> Pdns-users mailing list<br>
> <a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank" rel="noreferrer">Pdns-users@mailman.powerdns.com</a><br>
> <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br>
</blockquote></div></div></div>