[dnsdist] Recursion to wrong server?!

Djerk Geurts djerk at maizymoo.com
Tue Sep 12 14:44:27 UTC 2023

Hi all,

While doing a tcpdump of DNS traffic to determine if also-notify was working I noticed root queries being received by an internal authoritative server that I wasn’t expecting. And according to the DNSdist configuration I don’t think I should be seeing these either. So I think I need some help making sense of it all.

I run FreeIPA as authoritative for zones of internal (sub.)domains. There are two PowerDNS recursors fronted by two DNSdist machines. The desired logic is as follows:

Both DNSdist servers forward all requests to the primary PowerDNS server. For now ignore I have two, they’re identical and uses are the primary and secondary DNS servers for everything that needs a dns server.
DNSdist servers have a mgmt IP and a service IP:
Service IP bound to DNSdist:
Mgmt. IP, not bound to DNSdist:
The second PowerDNS-recursor is backup
The IPA server(s) should only be used for updates (by IPA-clients)

-- define downstream servers, aka backends
newServer({address="", name="rns00", useProxyProtocol=true})
newServer({address="", name="rns01", pool={"backup"}, useProxyProtocol=true})
newServer({address="", name="ipa0", pool={"auth"}})
newServer({address="", name="ipa1", pool={"auth"}})

-- Send queries to default pool when servers are available
addAction(PoolAvailableRule(""), PoolAction(""))
-- Send queries to fallback pool if not
addAction(AllRule(), PoolAction("backup"))
-- Send UPDATES to IPA
addAction(AndRule({OpcodeRule(DNSOpcode.Update)}), PoolAction("auth"))

-- Refuse incoming AXFR, IXFR, NOTIFY and UPDATE
----addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))
-- Refuse incoming AXFR, IXFR and NOTIFY
addAction(OrRule({OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))

-- Drop incoming requests with X-Proxied-For fields
addAction(RecordsTypeCountRule(DNSSection.Additional, 65280, 1, 65535), DropAction())

The tcpdump shows repeated queries for a.root-servers.net:

IP > 19831+ A? a.root-servers.net. (36)
IP > 19831 1/0/0 A (52)

This is a DNS query from the server running DNSdist, from an IP address that DNSdist doesn’t listen on. I assume DNSdist just uses whatever source address the OS deems suitable for egress traffic, which in my case would indeed be

So my questions are:

Why are A queries sent to the IPA server, when only UPDATE queries should be sent there?
Why the repeated queries? I see repeated A record lookups for a.root-servers.net <http://a.root-servers.net/> from both DNSdist servers and both PowerDNS-recursors. I would expect at least the recursors to cache these requests.
How do I fix the DNSdist behaviour? Should I move the primary DNS server into a pool? None of the failover examples I’ve seen show the primary DNS servers in a named pool.

Djerk Geurts

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230912/54a64d2e/attachment.htm>

More information about the dnsdist mailing list