[Pdns-users] Why is pdns searching for NS records at the sub-domain level?
John Miller
johnmill at brandeis.edu
Thu Sep 5 07:13:21 UTC 2013
Hi Cliff,
If you haven't already got things worked out, mind if I take a step back
and make sure I understand the problem you're trying to solve?
Am I correct that you're looking for your DNS server to only answer queries
(successfully, anyhow) for records that are in your database? And you want
everything else to return NXDOMAIN? REFUSED? Something else?
John
On Tue, Sep 3, 2013 at 3:30 PM, Cliff Hayes <chayes at afo.net> wrote:
> More details as requested:
>
> I am currently running both of the following on the same server running
> Scientific Linux 6.4:
> PowerDNS Authoritative Server 3.3
> PowerDNS recursor 3.5.2
> I have an empty hint file because I want all requests to fail except for
> what I have in the pdns database.
>
> pdns.conf has the defaults with these mods:
> launch=gmysql
> gmysql-host=127.0.0.1
> gmysql-user=pdns
> gmysql-dbname=pdns
> gmysql-password=xxxxxx
> log-dns-details=yes
> log-failed-updates=yes
> logging-facility=0
> loglevel=9
> query-logging=yes
> recursor=127.0.0.1:54
> master=yes
> max-tcp-connections=100
>
> recursor.conf has the defaults with these mods:
> etc-hosts-file=/scripts/pdns.**hosts
> hint-file=/scripts/pdns.hint
> local-port=54
> logging-facility=0
> lua-dns-script=/scripts/pdns.**lua
> trace=on
>
> pdns.lua looks like this (translateQtype removed for brevity):
> function preresolve ( remoteip, domain, qtype )
> pdnslog("debug1")
> pdnslog("preresolve debug remoteip: ["..remoteip.."] local address:
> ["..getlocaladdress().."] type: ["..translateQtype(qtype).."]"**)
> return -1, {}
> end
>
> function nxdomain ( ip, destination, domain, qtype )
> pdnslog("debug2")
> return -1, {}
> end
>
> function nodata ( remoteip, domain, qtype, records )
> pdnslog("debug3")
> return -1, {}
> end
>
> function postresolve ( remoteip, domain, qtype, records, origrcode )
> pdnslog("debug4")
> pdnslog("postresolve debug remoteip: ["..remoteip.."] getlocaladress:
> ["..getlocaladdress().."] domain: ["..domain.."] type:
> ["..translateQtype(qtype).."] origrcode: ["..origrcode.."]")
> return -1, {}
> end
>
> function prequery ( dnspacket )
> pdnslog("debug5")
> return -1, {}
> end
>
> domains table contents:
> mysql> select * from domains;
> +----+---------+--------+-----**-------+--------+-------------**
> ----+---------+
> | id | name | master | last_check | type | notified_serial | account |
> +----+---------+--------+-----**-------+--------+-------------**
> ----+---------+
> | 1 | cnn.com | NULL | NULL | NATIVE | NULL | NULL
> |
> +----+---------+--------+-----**-------+--------+-------------**
> ----+---------+
>
> records table contents:
> | id | domain_id | name | type | content | ttl |
> prio | change_date |
> +----+-----------+---------+--**----+-------------------------**
> ---+-------+------+-----------**--+
> | 1 | 1 | cnn.com | SOA | localhost dnsadm at xxx.yyy 1 | 86400 |
> NULL | NULL |
> | 2 | 1 | cnn.com | NS | ns1.xxx.yyy | 86400 | NULL
> | NULL |
> | 3 | 1 | cnn.com | NS | ns2.xxx.yyy | 86400 | NULL
> | NULL |
> | 4 | 1 | cnn.com | A | ww.xx.yy.zz | 120 |
> NULL | NULL |
> +----+-----------+---------+--**----+-------------------------**
> ---+-------+------+-----------**--+
>
>
> The pdns.hosts and pdns.hint files are blank on purpose because I am
> trying to build a whitelist dns.
> My two problems are:
> a) wildcard doesn't work so I can't whitelist domains ... I would have to
> have a record for every subdomain (see logs below)
> b) I can't get nxdomain to work. I only see debug1 and debug4 in the logs
> ... nxdomain is not running for some reason. I'm assuming I need to put
> something in nxdomain to redirect users to a block page for domains that
> are not whitelisted.
>
> Logs show NS lookup occurring at the subdomain level instead of domain
> level (I realize other domains would have to be added in order to get cnn
> to work ... this is just for illustration):
>
> Sep 3 14:23:40 volon pdns[1520]: Query: select
> content,ttl,prio,type,domain_**id,name from records where type='SOA' and
> name='www.cnn.com'
> Sep 3 14:23:40 volon pdns[1520]: Query: select
> content,ttl,prio,type,domain_**id,name from records where type='SOA' and
> name='cnn.com'
> Sep 3 14:23:40 volon pdns[1520]: Query: select
> content,ttl,prio,type,domain_**id,name from records where type='NS' and
> name='www.cnn.com' and domain_id=1
> Sep 3 14:23:40 volon pdns[1520]: Query: select
> content,ttl,prio,type,domain_**id,name from records where name='
> www.cnn.com' and domain_id=1
> Sep 3 14:23:40 volon pdns[1520]: Query: select
> content,ttl,prio,type,domain_**id,name from records where name='*.cnn.com'
> and domain_id=1
>
>
>
> On 9/3/2013 1:02 PM, John Miller wrote:
>
>> On 09/03/2013 01:56 PM, chayes wrote:
>>
>>> I am trying to get wildcard working.
>>> I notice that pdns is querying the database looking for NS records at the
>>> subdomain level, which I did not expect.
>>> I have only seen NS records exist at the domain level and that is how our
>>> DNS server is set up.
>>> This behavior is preventing me from being able to implement wildcard
>>> subdomain.
>>> How can I get pdns to look for A records at the subdomain level, and
>>> everything else at the domain level?
>>>
>>
>> Could you please post some examples of what's going on here, as well as
>> your configuration?
>>
>> John
>>
>> ______________________________**_________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.**com <Pdns-users at mailman.powerdns.com>
>> http://mailman.powerdns.com/**mailman/listinfo/pdns-users<http://mailman.powerdns.com/mailman/listinfo/pdns-users>
>>
>>
>
--
John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu
(781) 736-4619
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130905/20ab03c6/attachment-0001.html>
More information about the Pdns-users
mailing list