[dnsdist] Configure dnsdist to match domain

Oga Ajima ogaajima at gmail.com
Sun May 12 19:38:57 UTC 2019 

I have pdns authoritative server configured on three servers and pdns
recursor configured on two other servers. dnsdist is configure on a sixth
server with the following configuration:








*setLocal("10.240.70.91:53
<http://10.240.70.91:53>")newServer({address="10.240.70.81:53
<http://10.240.70.81:53>",pool="auth"})newServer({address="10.240.70.82:53
<http://10.240.70.82:53>",pool="auth"})newServer({address="10.240.70.83:53
<http://10.240.70.83:53>",pool="auth"})newServer({address="10.240.70.84:53
<http://10.240.70.84:53>",pool="rec"})newServer({address="10.240.70.85:53
<http://10.240.70.85:53>",pool="rec"})addAction("homelab.test.",
PoolAction("auth"))addAction(RDRule(), PoolAction("rec"))*

Querying the pdns-auth servers directly yields the following result:





*dig +trace homelab.test @10.240.70.81 <http://10.240.70.81>; <<>> DiG
9.11.3-1ubuntu1.7-Ubuntu <<>> +trace homelab.test @10.240.70.81
<http://10.240.70.81>;; global options: +cmd;; Received 28 bytes from
10.240.70.81#53(10.240.70.81) in 3 ms*

Similarly for the pdns-recursor servers:

*dig www.yahoo.com <http://www.yahoo.com> @10.240.70.84
<http://10.240.70.84>*























*; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> www.yahoo.com
<http://www.yahoo.com> @10.240.70.84 <http://10.240.70.84>;; global
options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 14602;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL:
1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512;; QUESTION
SECTION:;www.yahoo.com <http://www.yahoo.com>.            IN    A;; ANSWER
SECTION:www.yahoo.com <http://www.yahoo.com>.        253    IN    CNAME
 atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>.atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 9 IN    A
 72.30.35.9atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 9 IN    A
 98.138.219.231atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 9 IN    A
 98.138.219.232atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 9 IN    A    72.30.35.10;; Query
time: 71 msec;; SERVER: 10.240.70.84#53(10.240.70.84);; WHEN: Sun May 12
15:29:37 EDT 2019;; MSG SIZE  rcvd: 140*

When I point the query to the dnsdist server however, I get replies for the
recursive query but the local domain does not provide the expected result:

























*dig www.yahoo.com <http://www.yahoo.com> @10.240.70.91
<http://10.240.70.91>; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> www.yahoo.com
<http://www.yahoo.com> @10.240.70.91 <http://10.240.70.91>;; global
options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 11278;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL:
1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512;; QUESTION
SECTION:;www.yahoo.com <http://www.yahoo.com>.            IN    A;; ANSWER
SECTION:www.yahoo.com <http://www.yahoo.com>.        119    IN    CNAME
atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>.atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 13 IN    A
98.138.219.231atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 13 IN    A
72.30.35.9atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 13 IN    A
72.30.35.10atsv2-fp-shed.wg1.b.yahoo.com
<http://atsv2-fp-shed.wg1.b.yahoo.com>. 13 IN    A    98.138.219.232;;
Query time: 72 msec;; SERVER: 10.240.70.91#53(10.240.70.91);; WHEN: Sun May
12 15:31:52 EDT 2019;; MSG SIZE  rcvd: 140*


I get the following result when querying dnsdist server:


















*dig powerdns-1.homelab.test @10.240.70.91 <http://10.240.70.91>; <<>> DiG
9.11.3-1ubuntu1.7-Ubuntu <<>> powerdns-1.homelab.test @10.240.70.91
<http://10.240.70.91>;; global options: +cmd;; Got answer:;; ->>HEADER<<-
opcode: QUERY, status: REFUSED, id: 50992;; flags: qr rd; QUERY: 1, ANSWER:
0, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but not
available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;;
QUESTION SECTION:;powerdns-1.homelab.test.    IN    A;; Query time: 4
msec;; SERVER: 10.240.70.91#53(10.240.70.91);; WHEN: Sun May 12 15:35:41
EDT 2019;; MSG SIZE  rcvd: 52*

But querying pdns-auth directly yields the following:





















*dig powerdns-1.homelab.test @10.240.70.81 <http://10.240.70.81>; <<>> DiG
9.11.3-1ubuntu1.7-Ubuntu <<>> powerdns-1.homelab.test @10.240.70.81
<http://10.240.70.81>;; global options: +cmd;; Got answer:;; ->>HEADER<<-
opcode: QUERY, status: NOERROR, id: 58541;; flags: qr aa rd; QUERY: 1,
ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but
not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;;
QUESTION SECTION:;powerdns-1.homelab.test.    IN    A;; ANSWER
SECTION:powerdns-1.homelab.test. 3600    IN    A    10.240.70.81;; Query
time: 6 msec;; SERVER: 10.240.70.81#53(10.240.70.81);; WHEN: Sun May 12
15:36:52 EDT 2019;; MSG SIZE  rcvd: 68*

How do I get a similar result from dnsdist?


*dnsdist -Vdnsdist 1.4.0-alpha1 (Lua 5.1.4 [LuaJIT 2.0.4])Enabled features:
dns-over-tls(openssl) dnscrypt ebpf ipcipher libsodium protobuf re2
recvmmsg/sendmmsg systemd*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190512/97803510/attachment.html>

More information about the dnsdist mailing list