[Pdns-users] Why is pdns searching for NS records at the sub-domain level?

chayes chayes at afo.net
Wed Sep 4 14:19:15 UTC 2013


More details as requested:

I am currently running both of the following on the same server running
Scientific Linux 6.4:
PowerDNS Authoritative Server 3.3
PowerDNS recursor 3.5.2
I have an empty hint file because I want all requests to fail except for
what I have in the pdns database.

pdns.conf has the defaults with these mods:
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=pdns
gmysql-dbname=pdns
gmysql-password=xxxxxx
log-dns-details=yes
log-failed-updates=yes
logging-facility=0
loglevel=9
query-logging=yes
recursor=127.0.0.1:54
master=yes
max-tcp-connections=100

recursor.conf has the defaults with these mods:
etc-hosts-file=/scripts/pdns.hosts
hint-file=/scripts/pdns.hint
local-port=54
logging-facility=0
lua-dns-script=/scripts/pdns.lua
trace=on

pdns.lua looks like this (translateQtype removed for brevity):
function preresolve ( remoteip, domain, qtype )
pdnslog("debug1")
pdnslog("preresolve debug remoteip: ["..remoteip.."] local address:
["..getlocaladdress().."] type: ["..translateQtype(qtype).."]")
return -1, {}
end

function nxdomain ( ip, destination, domain, qtype )
pdnslog("debug2")
return -1, {}
end

function nodata ( remoteip, domain, qtype, records )
pdnslog("debug3")
return -1, {}
end

function postresolve ( remoteip, domain, qtype, records, origrcode )
pdnslog("debug4")
pdnslog("postresolve debug remoteip: ["..remoteip.."] getlocaladress:
["..getlocaladdress().."] domain: ["..domain.."] type:
["..translateQtype(qtype).."] origrcode: ["..origrcode.."]")
return -1, {}
end

function prequery ( dnspacket )
pdnslog("debug5")
return -1, {}
end

domains table contents:
mysql> select * from domains;
+----+---------+--------+------------+--------+-----------------+---------+
| id | name    | master | last_check | type   | notified_serial | account |
+----+---------+--------+------------+--------+-----------------+---------+
|  1 | cnn.com | NULL   |       NULL | NATIVE |            NULL | NULL    |
+----+---------+--------+------------+--------+-----------------+---------+

records table contents:
+----+-----------+---------+------+----------------------------+-------+------+-------------+
| id | domain_id | name    | type | content                    | ttl   |
prio | change_date |
+----+-----------+---------+------+----------------------------+-------+------+-------------+
|  1 |         1 | cnn.com | SOA  | localhost dnsadm at afo.net 1 | 86400 |
NULL |        NULL |
|  2 |         1 | cnn.com | NS   | ns1.timewarner.net         | 86400 |
NULL |        NULL |
|  3 |         1 | cnn.com | NS   | ns3.timewarner.net         | 86400 |
NULL |        NULL |
|  4 |         1 | cnn.com | NS   | ns1.p42.dynect.net         | 86400 |
NULL |        NULL |
|  5 |         1 | cnn.com | NS   | ns2.p42.dynect.net         | 86400 |
NULL |        NULL |
|  6 |         1 | cnn.com | A    | 157.166.226.25             | 86400 |
NULL |        NULL |
|  7 |         1 | cnn.com | A    | 157.166.226.26             | 86400 |
NULL |        NULL |
+----+-----------+---------+------+----------------------------+-------+------+-------------+


The pdns.hosts and pdns.hint files are blank on purpose because I am trying
to build a whitelist dns.
My two problems are:
a) wildcard doesn't work so I can't whitelist domains ... I would have to
have a record for every subdomain (see logs below)
b) I can't get nxdomain to work.  I only see debug1 and debug4 in the logs
... nxdomain is not running for some reason.  I'm assuming I need to put
something in nxdomain to redirect users to a block page for domains that are
not whitelisted.

Logs show NS lookup occurring at the subdomain level instead of domain level
(I realize other domains would have to be added in order to get cnn to work
... this is just for illustration):

Sep  3 14:23:40 volon pdns[1520]: Query: select
content,ttl,prio,type,domain_id,name from records where type='SOA' and
name='www.cnn.com'
Sep  3 14:23:40 volon pdns[1520]: Query: select
content,ttl,prio,type,domain_id,name from records where type='SOA' and
name='cnn.com'
Sep  3 14:23:40 volon pdns[1520]: Query: select
content,ttl,prio,type,domain_id,name from records where type='NS' and
name='www.cnn.com' and domain_id=1
Sep  3 14:23:40 volon pdns[1520]: Query: select
content,ttl,prio,type,domain_id,name from records where name='www.cnn.com'
and domain_id=1
Sep  3 14:23:40 volon pdns[1520]: Query: select
content,ttl,prio,type,domain_id,name from records where name='*.cnn.com' and
domain_id=1




--
View this message in context: http://powerdns.13854.n7.nabble.com/Why-is-pdns-searching-for-NS-records-at-the-sub-domain-level-tp10313p10317.html
Sent from the PowerDNS mailing list archive at Nabble.com.




More information about the Pdns-users mailing list