[Pdns-users] Need a solution to use an resolver for external CNAME's

Brian Candler b.candler at pobox.com
Wed Sep 14 08:59:36 UTC 2016

On 14/09/2016 09:07, EDV-Techniker wrote:
> we want using a nameserver for our domains only.

You mean, you want your own client devices to be able to resolve your names?

What do you want them to receive if they try to receive an external name 
- an NXDOMAIN as if the domain doesn't exist, or a SERVFAIL as if the 
external domain name's servers can't be reached?

> I can be done without configure a resolver.
Do you mean, you have configured an authoritative server for your domain 
(mydomain.com) and are pointing your clients to it as their resolver?

> Works fine but if query f.e. an external CNAME, which A record doesn’t 
> exist at our database, then PowerDNS doesn’t resolve.

I don't understand that.

Are you saying your server is authoritative for mydomain.com, then 
someone queries foo.mydomain.com which is a CNAME to bar.external.com, 
and the problem is that bar.external.com can't be resolved? That's what 
you wanted, isn't it?

Otherwise please explain what the scenario is, what behaviour you see, 
and what behaviour you want to see instead.

> Using a resolver does solve this problem. But now the DNS server is 
> open and frail for attacks.
People across the Internet using DNS all the time. It's not "frail for 
attacks" if configured properly. Can you explain specifically what 
issues you are trying to avoid? There may be a better solution.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160914/db3c2c54/attachment.html>

More information about the Pdns-users mailing list