[Pdns-users] CNAME record to an external domain

Marko Kobal marko.kobal at arctur.si
Tue Sep 4 19:37:54 UTC 2007 

Hi,

bert hubert pravi:
> On Tue, Sep 04, 2007 at 06:47:05PM +0200, Marko Kobal wrote:
>> However, I do have another question. If I want such a domain to be 
>> resolvable (like www.urad.si CNAME urad.blogspot.com) I need to open 
>> (allow) my recursor for the whole world. Would it not be better to 
> 
> No, that is not needed. Resolvers will follow the CNAME chain regardless.

Hmmm ...


In recursor.conf:

allow-from=127.0.0.1

In pdns.conf:

allow-recursion=127.0.0.1, 193.77.181.76

- 193.77.181.76 is the public IP of the DNS server we are talking about
- urad.si is hosted on 193.77.181.76
- www.urad.si CNAME urad.blogspot.com
- urad.blogspot.com is an external domain

+++

Now, exec "nslookup www.urad.si dns1.arctur.si" on 193.77.124.79 host:

---
nslookup www.urad.si dns1.arctur.si
Server:         dns1.arctur.si
Address:        193.77.181.76#53

** server can't find www.urad.si: SERVFAIL
---

... from log:
Not authoritative for 'urad.blogspot.com', sending servfail to 193.77.124.79 (recursion was desired)

Now, exec "nslookup www.urad.si dns1.arctur.si" on the DNS server itself (193.77.181.76):

---
nslookup www.urad.si dns1.arctur.si
Server:         dns1.arctur.si
Address:        193.77.181.76#53

Non-authoritative answer:
www.urad.si     canonical name = urad.blogspot.com.
urad.blogspot.com       canonical name = blogspot.l.google.com.
Name:   blogspot.l.google.com
Address: 72.14.207.191
---

+++

So I can limit recursor to not be available for external servers as an service (this I have already done by putting it on the 5300 port and closing into the firewall), but can NOT limit the PDNS to only "internaly" recurse? Am I right or not?

What I want to do is that urad.blogspot.com would NOT be directly resolvable from the whole world through my DNS server, that is:

nslookup urad.blogspot.com dns1.arctur.si
Server:         dns1.arctur.si
Address:        193.77.181.76#53

** server can't find urad.blogspot.com: SERVFAIL

--> OK

But I want that www.urad.si woudl be resolvable ... Are we understanding each other here? Is this possible to achieve or not?


-- 
Kind regards, Marko Kobal.

More information about the Pdns-users mailing list