<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><br><div><blockquote type="cite"><div>On 7 May 2025, at 16:19, Nacho Oppo <nachooppo64@gmail.com> wrote:</div><br class="Apple-interchange-newline"><div><div dir="ltr">Hi, Frank <div><br></div><div><br></div><div><p>I believe I may not have explained the scenario clearly in my previous messages. Let me try to clarify it with a simplified example, which might better illustrate the situation:</p><ul><li style="margin-left:15px"><p>I have a server <strong>A</strong> with IP address <strong>dirip-A</strong>. When this server connects to <code><a href="http://servidor1.dominio.com/" target="_blank">servidor1.dominio.com</a></code>, it must resolve to a specific point-to-point IP: <strong>diripservidor1-serverA</strong>.</p></li><li style="margin-left:15px"><p>I also have a server <strong>B</strong> with IP address <strong>dirip-B</strong>. When this one connects to <code><a href="http://servidor1.dominio.com/" target="_blank">servidor1.dominio.com</a></code>, it must resolve to a <em>different</em> IP: <strong>diripservidor1-serverB</strong>.</p></li></ul></div></div></div></blockquote><div><br></div>Yes, Pdns-auth with LUA records (in MySQL or other) are a good solution for this. That's not the issue.</div><div><br><blockquote type="cite"><div><div dir="ltr"><div><p>So, depending on the source of the DNS query, the same hostname (<code><a href="http://servidor1.dominio.com/" target="_blank">servidor1.dominio.com</a></code>) must resolve to a different IP address. This is exactly the kind of logic that <strong>LUA records in PowerDNS</strong> can handle, and this part I have working as expected.</p><p>However, the client also has another public server: <code><a href="http://servidorpublico.dominio.com/" target="_blank">servidorpublico.dominio.com</a></code>, and this one <strong>must be resolved via an external DNS resolver</strong> (for example, Google DNS at 8.8.8.8), as it is not managed internally.</p><p>What I’m struggling with is making the full combination work:</p><ul><li style="margin-left:15px"><p>Using LUA records for selected domains (like <code><a href="http://servidor1.dominio.com/" target="_blank">servidor1.dominio.com</a></code>),</p></li><li style="margin-left:15px"><p>And falling back to an external resolver for public domains (like <code><a href="http://servidorpublico.dominio.com/" target="_blank">servidorpublico.dominio.com</a></code>) <strong>when no local data is found</strong>.</p></li></ul></div></div></div></blockquote><div><br></div>Key is that either dnsdist (best) or pdns-rec (second best) will need to know which names are to be resolved by pdns-auth. </div><div><br></div><div>Solve that, you've solved it. But don't try things like "have pdns-auth do resolving" or "intercept the nxdomain from auth and send elsewhere" or "have pdns-rec be auth".</div><div><br></div><div>Frank</div><div><br></div><div><br></div><div><br></div><div><blockquote type="cite"><div><div dir="ltr"><div><div>Best Regards</div></div><div>Nacho</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">El mié, 7 may 2025 a las 16:07, <<a href="mailto:frank@kiwazo.be">frank@kiwazo.be</a>> escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><span style="font-family:HelveticaNeue">Hi Nacho,</span><div style="font-family:HelveticaNeue"><br></div><div style="font-family:HelveticaNeue">How "static" is the list of domains which need to resolve locally? Updated sub-second? Once every minute? Once every hour?</div><div style="font-family:HelveticaNeue"><br></div><div style="font-family:HelveticaNeue">I would not use pdns-recursor at all. I would let dnsdist be the first point of entry, with 2 pools: a "auth" pool and a resolver pool.</div><div style="font-family:HelveticaNeue"><br></div><div style="font-family:HelveticaNeue">Add the pdns-auth (with MySQL and Lua records) to the auth pool. Have pdns-auth ONLY serve the special records, with the lua handling.</div><div style="font-family:HelveticaNeue"><br></div><div style="font-family:HelveticaNeue">Add 8.8.8.8 (and maybe <a href="http://1.1.1.1/9.9.9.9" target="_blank">1.1.1.1/9.9.9.9</a> as well) to the resolver pool. Tell dnsdist to read a set of "special" domains from a text file. Tell it that IF (and only IF) the qname is part of the domains which is on the "special" list, it should send the query to the auth pool. In every other case (normal resolving), send it to the resolving pool (8.8.8.8 and others).</div><div style="font-family:HelveticaNeue"><br></div><div style="font-family:HelveticaNeue">To be VERY VERY VERY VERY clear: what you proposed in the first mail is very very very very bad practice. If the scoring of the project is done by somebody who has any real life experience with dns, you'd fail. We don't want you to fail. So with the advise I and others on the list have given you, please go back to the drawing board and rethink your design.</div><br><div>Frank</div><div><br><blockquote type="cite"><div>On 7 May 2025, at 16:04, Nacho Oppo via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a>> wrote:</div><br><div><div dir="ltr">Thanks William,<br><br>I answer you between the lines<br><br>1. This is bad practice.<br><br>It may be a bad practice, but it is the chosen one and it is the one that I hope will give me the approval.<br><br><br>2. The goal of an assignment can’t be to have someone else do it for you. What’s the point?<br><br>I am clear that it has to be this way, I need to understand it in order to explain it.<br><br><br>3. What have you tried? “It doesn’t work” doesn’t indicate any effort.<br><br>I've installed and uninstalled the software several times, run separate tests on the DNS server, and it resolves the names I put in the database. However, the moment I try to add another DNS server to resolv.conf, it stops responding to local DNS servers and goes online to look for them. <br>When I installed the Recursor, things got even worse because, despite not having another DNS server in resolv.conf or the config, the service resolved names for me, and I don't really understand how it did it.<br><br>4. Should a Computer Science assignment really be this high-level?<br><br>They proposed it to me and I thought it wouldn't be as complicated as it's turning out to be.<br><div><br></div><div>Nacho.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El mié, 7 may 2025 a las 10:27, William Edwards via Pdns-users (<<a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">1. This is bad practice. <br>
2. The goal of an assignment can’t be to have someone else do it for you. What’s the point?<br>
3. What have you tried? “It doesn’t work” doesn’t indicate any effort. <br>
4. Should a Computer Science assignment really be this high-level?<br>
<br>
William Edwards<br>
<br>
> Op 7 mei 2025 om 10:04 heeft Nacho Oppo via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com" target="_blank">pdns-users@mailman.powerdns.com</a>> het volgende geschreven:<br>
> <br>
> <br>
> Dear "PowerDNS MailGroup",<br>
> <br>
> My name is Nacho, and I am a university student currently studying Computer Science. I’m working on my final-year project, which involves setting up a system that allows resolution of personal names using PowerDNS.<br>
> <br>
> The goal is to configure PowerDNS so that it first checks an A record in a MySQL backend, and if the record is not found o if database does´not respond, it should forward the query to an external DNS server, such as Google’s (8.8.8.8).<br>
> <br>
> From what I’ve read, this setup used to be possible directly with PowerDNS, but now it seems that the use of a separate PowerDNS Recursor in front is required. I’ve tried configuring it myself, but unfortunately, I haven’t been able to make it work properly.<br>
> <br>
> If someone could share a working configuration for both PowerDNS Authoritative and PowerDNS Recursor (for the current versions), or point me to a complete example, I would be truly grateful.<br>
> <br>
> Thank you in advance for your time and help.<br>
> <br>
> Best regards,<br>
> Nacho<br>
> <br>
> _______________________________________________<br>
> Pdns-users mailing list<br>
> <a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
> <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br>
_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
</blockquote></div>
_______________________________________________<br>Pdns-users mailing list<br><a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br><a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br></div></blockquote></div><br></div></blockquote></div>
</div></blockquote></div><br></body></html>