[Pdns-users] DiG: Hopefully Final Thoughts..

stancs3 scruise56 at gmail.com
Fri Feb 17 06:45:33 UTC 2017 

Reverse doesn't work in this config, so I figure on giving up on
recursor.

An auth ns was my goal, so I am happy that pdns works forward and
reverse, and poweradmin makes it easy to manage.

I can either use my router's recursor, or perhaps set up a pdns-
recursor on a different VM to keep it clean. Wouldn't that be the
same/better than the router's?


That's it for now.

Thanks, if you read these emails.

Stan

On Thu, 2017-02-16 at 23:10 -0700, stancs3 wrote:
> OK, I managed to get DiG to respond with A records, but only by
> specifying the hostname in from of the domain name. This is OK, but
> when the servers where reversed, a simple DiG NS would return the NS
> records, *and* the A records.
> 
> Again not a showstopper unless it points to config still broken.
> 
> I won't send any more emails tonight unless I have a major breakthru.
> 
> stna
> 
> 
> On Thu, 2017-02-16 at 22:56 -0700, stancs3 wrote:
> > 
> > Well, I managed to reverse the servers, and get them working.
> > 
> > DiG now works for +trace.
> > 
> > The auth server also seems to be working.
> > 
> > One new quirk:
> > 
> > DiG to my domain NS sends back the NS records but not the A
> > records,
> > whereas all records came back when the auth server was on top.
> > 
> > But the auth nameserver seems to still work, as I can ping at the
> > client level using the host name that is defined in the A record in
> > the
> > auth server.
> > 
> > Not sure if this is pointing to another problem, or it is simply
> > working.
> > 
> > 
> > Stan
> > 
> > 
> > On Thu, 2017-02-16 at 21:40 -0700, stancs3 wrote:
> > > 
> > > 
> > > Thanks for the quick reply.
> > > 
> > > Yes, I did see this info at one point, and so I tried briefly to
> > > run
> > > the recursor in front on its own, but I have not got it working
> > > yet.
> > > 
> > > Also,I did try the auth pdns as a recursor itself as I figured it
> > > should work as an integrated server. But, I got the exact same
> > > results
> > > - i.e. zero response to +trace.
> > > 
> > >    -------------------------------------------------
> > > 
> > > Stepping back, is it not a doable config to have a private auth
> > > server,
> > > that hands off to a recursor, all internal, private?
> > > 
> > > If not, then at least I do need the auth server, so I can get
> > > basic
> > > name serving for my internal network.
> > > 
> > > Would I then simply send all my recursive queries to my router's
> > > dns,
> > > as is now the case? i.e. more nameservers listed in resov.conf of
> > > clients.
> > > 
> > > Clearly neophyte questions re dns. Feel free to point me
> > > somewhere,
> > > but
> > > so far all 'tutorials' have led me here.
> > > 
> > > The frustrating part is that most comprehensive dns documentation
> > > is
> > > releative to BIND. I have been close to taking a break from pdns
> > > and
> > > start over with BIND to learn things better. But, then pdns
> > > begins
> > > to
> > > work so nicely it seems...... :). I hope to hear back ....
> > > 
> > > 
> > > Stan
> > > 
> > > 
> > > 
> > > 
> > > 
> > > On Thu, 2017-02-16 at 21:04 -0700, David wrote:
> > > > 
> > > > 
> > > > 
> > > > On 2017-02-16 6:29 PM, stancs3 wrote:
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > I have seen this problem posted in various places over the
> > > > > years.
> > > > > It is
> > > > > not clear if it is a bug, a bad config, or just non-
> > > > > functional.
> > > > https://github.com/PowerDNS/pdns/issues/4353
> > > > 
> > > > In your case (auth pointing to recursor) is a fairly broken
> > > > config
> > > > to 
> > > > begin with, so this may be unlikely for you to get working. In
> > > > order
> > > > for 
> > > > auth to respond to "NS ." without recursion you'd have to host
> > > > the
> > > > root 
> > > > zone on there.
> > > > 
> > > > Recursor in front and forwarding your internal zones to auth
> > > > would  work 
> > > > (most) of the time unless your cache doesn't have the root
> > > > primed
> > > > already.
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > My set up:
> > > > > 
> > > > > VM running Centos 7, up to date.
> > > > > pdns install using postgresql db.
> > > > > pdns-recursor install.
> > > > > 
> > > > > pdns is running as an authoritive ns, standalone, replicated
> > > > > via
> > > > > postgresql to a second VM, pretty much identical.
> > > > > 
> > > > > 
> > > > > pdns is set with recursor=local-address:5300
> > > > > 
> > > > > pdns-recursor is set with local-address equal to pdns local-
> > > > > address
> > > > > above
> > > > > 
> > > > > pdns-recursor is set with local-port equal to pdns 5300
> > > > > above.
> > > > > 
> > > > > It all seems to work.
> > > > > 
> > > > > The authoritive nameserver is private, and is populated with
> > > > > a
> > > > > few
> > > > > records which work.
> > > > > 
> > > > > The recursor is being tested with DiG. (and with typical
> > > > > surfing).
> > > > > I have verified that the VM has no other dns function working
> > > > > in
> > > > > parallel.
> > > > > 
> > > > > All DiG commands so far work with the exception of +trace.
> > > > > 
> > > > > I have logs running, and can easily see logs generated for
> > > > > DiG
> > > > > commands that work.
> > > > > 
> > > > > I have attached a console example. The logs and console
> > > > > indicate
> > > > > that the DiG command with +trace doesn't fail; it just
> > > > > doesn't
> > > > > even
> > > > > respond.
> > > > > 
> > > > > If I target the same DiG +trace command at my router's
> > > > > dnsmasq,
> > > > > it
> > > > > responds as expected with a whole bunch of trace info.
> > > > > 
> > > > > I have tried for days/hours with all variations I can think
> > > > > of
> > > > > and
> > > > > all manner of surfing for solutions. If there were failure
> > > > > logs
> > > > > it
> > > > > would help, but absolutely zero logs with the +trace command
> > > > > is
> > > > > issued to pdns.
> > > > > 
> > > > > I have also dumped my cache and it has many NS records.
> > > > > 
> > > > > I am tempted to simply ignore this and just use the thing as
> > > > > it
> > > > > seems to work. I only tried DiG +trace to see how it all
> > > > > works......
> > > > > 
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > Pdns-users mailing list
> > > > > Pdns-users at mailman.powerdns.com
> > > > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > > > > 
> > > > _______________________________________________
> > > > Pdns-users mailing list
> > > > Pdns-users at mailman.powerdns.com
> > > > https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list