[Pdns-users] Recursor / pdns installation help

Patrick Coffin patrick at islandtechnologies.net
Tue Dec 21 20:09:57 UTC 2010 

Leen,

Thanks for the reply.  We are hosting 1000's of dns records so entering them in the forwards is not at option.

I will take your advise to split the pdns and recursor to separate servers.

Should I expect that if I move the pdns to a separate server that the looks up will work correctly with the information I have given?  I would move pdns back to port 53 and keep it connected to mysql for lookups.

I would like it to be setup that recursor queries the pdns server and database if we are authoritative for the domain. Otherwise recursor should looks to the authoritative server for the answer.

Is there another resource that I can reference for this setup?  I believe I am just missing one or two pieces to get it working properly.

I appreciate the help!

Thanks,
Patrick


On Dec 21, 2010, at 1:01 AM, pdns-users-request at mailman.powerdns.com wrote:

> Message: 4
> Date: Tue, 21 Dec 2010 10:01:55 +0100
> From: Leen Besselink <leen at consolejunkie.net>
> Subject: Re: [Pdns-users] Recursor / pdns installation help
> To: pdns-users at mailman.powerdns.com
> Message-ID: <4D106D03.2050605 at consolejunkie.net>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> On 12/21/2010 03:03 AM, Patrick Coffin wrote:
>> Hi,
>> 
>> This is the first time posting to this board. If I am posting to the
>> wrong list, sorry, and please advise where I should post this request
>> for assistance.
>> 
>> We are setting up a new installation of pdns and recursor.
>> 
>> We have been running pdns for a couple years without issue. I am
>> attempting to implement recursor and pdns to avoid a potential DOS
>> attack and pass security compliance, which under the current version I
>> am running will not pass.
>> 
>> Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5
>> environment. Each with their own mysql slave db. Al l works great
>> except for the DOS issue.
>> 
>> I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a
>> Centos 5.5 box and I now pass security compliance, but am not getting
>> the expected responses on DNS queries.
>> 
>> I setup recursor to respond on port 53 and pdns to respond on 5300.
>> 
>> recursor.conf entries
>> # forward-zones=
>> forward-zones=x.x.x.x:5300
> 
> Hi,
> 
> I'm not quiet sure what you are trying to do, but I think forward-zones
> needs 1 or more domainnames:
> 
> http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS
> 
> If it is just a few (or just the important) domains, that would work. If
> it is an ever changing 1000's. Then this is not what you are looking for.
> 
> If security is your concern, it is normally not recommended to mix your
> recursor with your authoritive nameserver on the same IP-address anyway.
> So I suggest you don't.
> 
> But if you really want to, you can have pdns check the database first
> before trying to resolve the request recursively, in that case you swap
> them around (pdns on port 53 and pdns-recursor on port 5300) and use
> these setting:
> 
> recursor=
> allow-recursion=
> 
> http://doc.powerdns.com/all-settings.html
> 
> Hope that helps.
> 
> Have a nice day,
> Leen.
> 
>> local-port=53
>> 
>> pdns.conf entries
>> local-address=x.x.x.x
>> local-port=5300
>> 
>> If I query on a domain using dig I get the following error.  "dig
>> mytestdomain.com <http://mytestdomain.com>  @ns5
>> 
>> ------------------
>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> mytestdomain.com
>> <http://mytestdomain.com> @ns5
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18559
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ; mytestdomain.com <http://mytestdomain.com>.INA
>> 
>> ;; Query time: 6 msec
>> ;; SERVER: 209.3.87.44#53(209.3.87.44)
>> ;; WHEN: Mon Dec 20 17:55:34 2010
>> ;; MSG SIZE  rcvd: 28
>> ------------------
>> 
>> logs output - 
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: Resolved 'mytestdomain.com.' NS
>> ns5.mydomain. to: xx.xx.xx.xx
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: Trying IP xx.xx.xx.xx:53, asking
>> 'mytestdomain.com.|A'
>> Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from
>> packet cache from xx.xx.xx.xx
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: Got 0 answers from ns5.mydomain.net.
>> (xx.xx.xx.xx), rcode=0, in 3ms
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: determining status after receiving this packet
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: status=noerror, other types may exist, but
>> we are done 
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: Starting additional processing
>> Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
>> <http://mytestdomain.com>.: Done with additional processing
>> Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question
>> 'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0
>> throttled, 0 timeouts, 0 tcp connections, rcode=0
>> Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from
>> packet cache from xx.xx.xx.xx
>> 
>> It looks as if it is trying the local dns server on 53, but it is not
>> getting a reply.  Also I do not see any queries hitting the database.
>> 
>> If any additional information is needed, LMK
>> 
>> Any help would be appreciated.
>> 
>> Thanks,
>> 
>> Patrick
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20101221/180882ff/attachment-0001.html>

More information about the Pdns-users mailing list