[dnsdist] Rewrite backend responses based on NXDOMAIN?

Mark Moseley moseleymark at gmail.com
Wed May 6 23:08:47 UTC 2020

I've been flailing on this, so time to swallow my pride and ask the list :)

I'm running PowerDNS repo's 1.4.0-1pdns.bionic on a series of Ubuntu Bionic
boxes, fronting Powerdns Auth 4.3.0. We've got millions of customer domains
in MySQL.

We're looking at implementing DomainConnect. My initial thought was to use
Lua to serve up DomainConnect TXT records for all domains. Easy enough and
already implemented it, based on a regex of the hostname.

The curveball is that some customers already have DomainConnect records. So
me blindly returning DomainConnect records would mask the customers' own
DomainConnect TXT records.

What I'd *like* to do is have dnsdist do this:

* Query backend for DomainConnect TXT record like usual
* If the backend replies with a NOERROR for that query, return the backend
response and done
* If the backend replies with a NXDOMAIN, change the rcode to NOERROR and
generate a synthetic response and return that

I.e. use the customer's TXT record if there is on; if there's not, use our
blanket TXT record

I'm trying to avoid having to add a remote backend into pdns auth. Being
able to do this in dnsdist itself seems a whole lot less complicated and
probably far more performant. I've also played with Lua inside Powerdns
Auth and can probably make this work but the likelihood of a) me breaking
something due to unintended consequences goes way up; and b) I'm sure I'll
negatively affect performance.

So far all my poring over docs says that this isn't possible (that is, no
action that changes a query response), but I'm hoping someone can point out
the obvious thing I'm missing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200506/de1e2fae/attachment.htm>

More information about the dnsdist mailing list