[Pdns-users] Recursive Weirdness (Was: 2.9.4 -> 2.9.8 breakage)

Damian Gerow damian at sentex.net
Wed Jul 30 16:38:06 UTC 2003 

Thus spake Damian Gerow (damian at sentex.net) [09/06/03 13:40]:
> I have recursion enabled in pdns, using an external recurser.  I allow
> recursion from two networks.  If I do a recursive lookup from a host outside
> of these two networks, it fails, *unless* the address is in the pdns cache,
> then it reports back happily.
> 
> Can anyone at least confirm that they are seeing the same behaviour / not
> seeing the same behaviour?

Okay, I have successfully shown that this is not the same behaviour as in
2.9.10 (I just updated yesterday).

To recap:

I have a PowerDNS server that supports recursive queries, using a dnscache
installation (from djbdns) on an RFC1918 network to do the lookups.

If I did a lookup from external, from a host that is /not/ in my
allow_recursion statement, it did not work *only* if the address was not
already in the cache.  If the desired record was *in* the cache, pdns would
have returned it happily.

Until yesterday.

Now, to make things even *more* complicated, it looks like if I try a
recursive lookup from external, I can no longer do a recursive lookup from
internal for the same record.  However, external lookups for cached addresses
are treated properly at this point (ignored).

To explain visually...

>From pdns.conf:

    #################################
    # allow-recursion       List of netmasks that are allowed to recurse
    #
    allow-recursion=127.0.0.0/8,172.16.0.0/24,10.9.22.0/24

I do a query from a host /not/ in those networks:

    % hostname
    granite.sentex.ca
    % host -t a granite.sentex.ca
    granite.sentex.ca has address 199.212.134.1
    % host www.microsoft.com 64.7.134.90
    Using domain server 64.7.134.90:

    Host not found, try again.
    %

Then a query from a host that /is/ in those networks:

    % hostname
    pandora.afflictions.org
    % host -t a pandora.afflictions.org
    pandora.afflictions.org has address 10.9.22.21
    % host www.microsoft.com 10.9.22.8
    Using domain server 10.9.22.8:

    Host not found, try again.
    %

(Where 10.9.22.8 is one of the RFC1918 interfaces on the same machine as
64.7.134.90.)

Then I stop and start pdns on the server, and try again:

    % host www.microsoft.com 10.9.22.8
    Using domain server 10.9.22.8:

    www.microsoft.com is a nickname for www.microsoft.akadns.net
    www.microsoft.akadns.net has address 207.46.249.190
    www.microsoft.akadns.net has address 207.46.134.155
    www.microsoft.akadns.net has address 207.46.134.222
    www.microsoft.akadns.net has address 207.46.249.222
    www.microsoft.akadns.net has address 207.46.134.190
    %

Am I *completely* cracked?  Is my pdns installation so messed up that
someone can effectively (and easily) DoS any recursive functionality I may
want?  Or is this in all 2.9.10 installations?

Here's the appropriate log entries:

    Jul 30 12:31:57 ns pdns[76112]: Not authoritative for 'microsoft.com', sending servfail to 199.212.134.1 (recursion was desired)
    Jul 30 12:31:57 ns last message repeated 2 times
    Jul 30 12:31:57 ns pdns[76112]: Not authoritative for 'microsoft.com.sentex.net', sending servfail to 199.212.134.1 (recursion was desired)
    Jul 30 12:31:58 ns pdns[76112]: Not authoritative for 'microsoft.com.sentex.net', sending servfail to 199.212.134.1 (recursion was desired)
    Jul 30 12:31:58 ns pdns[76112]: Not authoritative for 'microsoft.com.sentex.net', sending servfail to 199.212.134.1 (recursion was desired)
    Jul 30 12:31:58 ns pdns[76112]: Not authoritative for 'microsoft.com.sentex.ca', sending servfail to 199.212.134.1 (recursion was desired)

And yes, this is completely reproducible at will.

More information about the Pdns-users mailing list