[Pdns-users] Recursor sends SERVFAIL instead of REFUSED

Stefan Schmidt zaphodb at zaphods.net
Thu Apr 26 15:33:42 UTC 2012


On Thu, Apr 26, 2012 at 4:19 PM, Tibor Benke <ihrwein at gmail.com> wrote:
> Hi Peter,

Hi Tibor,

> I have an authoritative server with version 2.9.22 and a recursor with
> 3.2. These run on debian squezee. I have a network and the hosts of
> this network have public IP addresses. I would like to run the
> recursive and the authoritative server on the same host. Currently the
> authoritative server is in front of the recursor. The authoritative
> listens on the port 53 and if the request is not authoritative for the
> query it passes it to the recursor that listens on [::1]:10053 and
> 127.0.0.1:10053.
>
> I would like to enable the recursion only on my network, meanwhile the
> whole world should reach the authoritative server.

As all queries that are being proxied from the authoritative Server to
the recursive Server on 127.0.0.1 or ::1 are coming from localhost you
will only need to enable recursive queries from 127.0.0.1/32 and
::1/128 in your recursor.conf, however there is another setting that
enables you to limit recursive queries to your authoritative server.
-> http://doc.powerdns.com/all-settings.html
allow-recursion=...
By specifying allow-recursion, recursion can be restricted to netmasks
specified. The default is to allow recursion from everywhere. Example:
allow-recursion=192.168.0.0/24, 10.0.0.0/8, 1.2.3.4.

You may also want to set
lazy-recursion=...
On by default as of 2.1. Checks local data first before recursing.
in your pdns.conf.

Is this about the setup that is giving you server failure responses
instead of the refused answer you would like to see?
I fear there is not much to be done about this one then as i think
this is hardcoded in the authoritative server.

 Stefan



More information about the Pdns-users mailing list