[Pdns-users] Resolving an external CNAME

Craig Box craig.box at gmail.com
Wed Jul 14 20:00:32 UTC 2010

To follow up and provide the answer for those who seek it in future, for
reasons I still can't entirely find the source for (you might have to dust
off your RFCs), the advice is don't run an authoritative name server, and a
resolver, on the same port.

You can do something like this:

pdns-recursor on port 53
pdns-server on port 530 (the advice I was given was to run this on a
different IP as well as a different port, for "hygeine" reasons)

On the recursor, use the 'forward-zone' directive:


(I also received a lot of advice not to use .local.  I inherited this, and
can't easily change the domain without changing a lot of legacy
applications, but I agree completely.  I'm a fan of .tla and cried a little
when they introduced .info as it was four characters long.  Don't get me
started on .museum!)

pdns-recursor can actually serve simple zones itself with the 'auth-zone'
directive, but doesn't support a SQL backend.

Also, if you're running on EC2, you need to resolve amazonaws.com with the
EC2 virtual name server IP,  Instead of forwarding all other
requests to this IP, I am just forwarding that one zone, which requires


This requires pdns-recursor 3.2 or higher.

Hope this helps someone!


On Mon, Jul 12, 2010 at 3:14 PM, Craig Box <craig.box at gmail.com> wrote:

> Hi,
> I realise this issue has been covered on the list, but (a) a couple of
> years ago, and (b) with slightly different symptoms.
> On Amazon EC2, I have a PowerDNS server [1] set up for an example.local
> domain.  I also have recursion enabled and set to the EC2 "virtual
> nameserver",  For simplicity's sake, this all runs on the same
> port.
> Everything works as expected - example.local names resolve from the gmysql
> backend, and other names are passed on to Amazon for resolution.  (You need
> to use the EC2 name server to resolve .amazonaws.com addresses to their
> RFC1918 addresses - if you resolve externally, you get the public IP which
> NATs to your machine.)
> Anyway, I have added a machine database.xyzzy.eu-west-1.rds.amazonaws.com,
> which is a multi-AZ deployment (60 second TTL for failover to a second
> server if the first is unreachable).  I have set up a record for
> data.example.local which is a cname to this address, but querying it gives
> me an NXDOMAIN (/not/ a SERVFAIL).
> I have seen mention that you need to have a '.' suffix for records pointing
> to external names, but this doesn't seem to make a difference.
> Can what I want to do here, be done?  From what I can piece together, all I
> should have had to do is enable recursion (which was enabled anyway).
> Regards
> Craig
> [1] Version 2.9.22-3 from Ubuntu 10.04.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20100714/7ad7478e/attachment-0001.html>

More information about the Pdns-users mailing list