[Pdns-users] allow-recursion-override for 'fake' domain causes problem delegating fake subdomain

Fri Oct 10 06:19:52 UTC 2008

Brendan,

> Let's see if I understand this correctly. Your internal DNS servers
> are hosting a zone for which they are not really the authoritative
> servers. You have a recursor on some IP, possibly localhost, set in
> your pdns.conf.
>   

Correct.  The recursor is on localhost:5353, and pdns.conf declares 
"recursor=127.0.0.1:5353".

> In other words, for those records not listed on your internal servers,
> it was passing to the recursor instead of returning NXDOMAIN. When
> recursion became impossible, queries for non-existent records were
> then subject to timeouts, making everything wait. OK.
>   

Correct.

> So your PDNS server is hosting somedomain.com, and you were using the
> recursor to direct queries to testnetwork.somedomain.com to another
> nameserver on the test network?
>   

Exactly.

>>  What is the best way to fix this problem?  I don't see any flag like
>> 'allow-recursion-override-exceptions', and I suspect that
>> the fault lies in my design for our DNS system.  Is there a simple
>> configuration change that will fix this problem?  Or should I rethink our
>> design?
>>     
>
> What you need is one or more NS records for the subdomain in the
> somedomain zone, and corresponding glue records:
>
> testnetwork                                     IN     NS
> ns1.testnetwork.somedomain.com.
> ns1.testnetwork.somedomain.com.   IN     A      10.3.2.1
>   

So, the internal pdns has the NS and glue records for the 
test.somedomain.com network, and lookups behave as follows.

Without allow-recursion-override, queries resolve as follows on the 
internal ns:

Recursive queries for foo.test.somedomain.com aren't found, and so are 
forwarded to pdns-recursor, which knows 
"forward-zones=test.somedomain.com=192.168.200.3".  That ns serves the 
test.somedomain.com + reverse zones.  With allow-recursion-override, the 
needed answer is produced, but causes the above-stated problem 
(non-existant foo.somedomain.com is recursed to the Internet 
authoritative servers, causing timeouts and waits when WAN link is 
disconnected).  FYI, non-recursive queries for foo.test.somedomain.com 
return NS + glue records for the test.somedomain.com subdomain.

With allow-recursion-override, queries resolve as follows:

Recursive queries for foo.test.somedomain.com aren't found in the 
internal nameserver, and fail.  (Non-recursive queries produce the same 
behavior as without allow-recursion-override.)

What is the recommended setup in this case?  An alternate configuration 
would be to put the recursor in front of the pdns (and turn off 
recursion in pdns), and indeed we used to do this, but our rapidly 
changing network causes inconvenience when the recursor caches old 
information about the local zones, even when TTLs are as short as 5 
minutes.  A third possibility would be to put the test.somedomain.com 
zones in the internal network's pdns (and turn off forward-zones in the 
recursor), which would require additional configuration to replicate the 
LDAP backend from the test network (which is treated as a DMZ).

Thanks, Brendan, for your thoughtful reply.

    John