[Pdns-users] "recursion not available" for authoritative domain, but recursion for everything else works?

Tony Maro tonymaro at gmail.com
Sun Feb 22 18:30:09 UTC 2009


Here's what I've done...

I've set up two PowerDNS authoritative servers using an LDAP replicated
backend, serving an internal Intranet DNS (outside on the Internet is
domain.com, inside is inside.domain.com for example)

I installed the recursor server on each of the authoritative pdns machines,
answering to port 54.  I pointed the authoritative servers to recursor=
127.0.0.1:54   Each recursor has "local-address=127.0.0.1" and
"local-port=54"

The primary server is 192.168.1.4, and the secondary server (running off the
ldap replication server) is 192.168.1.251

Unfortunately I also have a legacy Windows Active Directory domain that I'm
in the process of phasing out.  I've configured the Windows 2003 AD DNS
server to use 192.168.1.4 and 192.168.1.251 for all recursion, since I can't
wholesale replace the Windows DNS until those workstations are migrated
away.

Here's how my DNS lookups progress:
Linux workstation -> PDNS Authoritative for internal.domain.com -> PDNS
recursor
Windows workstation - > AD Domain server DNS for internal.someother.com - >
PDNS Authoritative for internal.domain.com -> PDNS recursor  (temporary
hack)
This allows the Windows workstations to query their required A/D server and
still get answers on the second internal domain names - the Linux stations
really could care less about the Windows DNS names.  All external recursion
is handled by pdns-recursor.

Both pdns servers are configured identically, just pointed to their own
machine for the ldap backend.

>From one particular machine on the network, sometimes it will get a response
of:

$nslookup firewall.inside.domain.com
*;; Got recursion not available from 192.168.1.4, trying next server*
Server:   192.168.1.251
Address: 192.168.1.251#53

Name:   firewall.inside.domain.com
Address:   192.168.1.1

When this happens, *any machine asking for what SHOULD be an authoritative
answer from 192.168.1.4 will not resolve*, BUT what's weird is that any
address not known to my domain is being answered from the recursor on
192.168.1.4:54 - which is only reachable from the authoritative server at
192.168.1.4:53 - which just reported recursion not available... ?

So why would the authoritative server not be answering in an authoritative
way for it's own domain?

What's even more strange is this:

$ nslookup firewall.inside.domain.com
*;; Got recursion not available from 192.168.1.4, trying next server*
Server:        192.168.1.251
Address:    192.168.1.251#53

Name:    thinfire.inside.domain.com
Address: 192.168.1.1

$ nslookup firewall.inside.domain.com 192.168.1.4
Server:        192.168.1.4
Address:    192.168.1.4#53

Name:    firewall.inside.domain.com
Address: 192.168.1.1

And to convolute it even more...
If I restart the pdns authoritative server on 192.168.1.4 it will resolve
names fine for a while even through the Windows server recursing to it - but
sooner or later it will end up failing lookups again.  The "Got recursion
not available" error goes away after the restart, for a while.


More details:
Primary PowerDNS server is Ubuntu 8.10.  Backup server is Ubuntu 8.04.
Both authoritative servers have:

daemon=yes
disable-axfr=yes
guardian=yes
lazy-recursion=yes
local-address=0.0.0.0
local-port=53
recursor=127.0.0.1:54

Both recursor's have:

local-address=127.0.0.1
local-port=54

Neither server is logging anything interesting in syslog.

The windows server is authoritative for a separate
internal.anotherdomain.com (which is being phased out) so I can't just
eliminate it right now.

If I can't get this solved I'll have to go back to bind9 without the LDAP
backend.



-- 
Tony Maro
http://www.ossramblings.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20090222/9605b17f/attachment.html>


More information about the Pdns-users mailing list