[Pdns-users] [Fwd: Re: DiG: Hopefully Final Thoughts..]

stancs3 scruise56 at gmail.com
Mon Feb 20 00:38:57 UTC 2017 

Sorry meant to reply all ....


-------- Forwarded Message --------
From: stancs3 <scruise56 at gmail.com>
To: Brian Candler <b.candler at pobox.com>
Subject: Re: [Pdns-users] DiG: Hopefully Final Thoughts..
Date: Sun, 19 Feb 2017 17:37:33 -0700

After a bunch of testing etc:

The reverse now works; like you indicated it's just another zone; once
I got that digested, I forwarded it from the recursor and it works.

I have attached the remaining thing I cannot resolve (no pun).

1. The test above the ===== line is:

Recursor listening on port 53, forwarding to auth server listening on
port 5300.

Dig of NS replies with no Additional section.
Dig of ns1 replies with the A record.



2. The test below the ===== line is:

No recursor, auth server listening on port 53.

Dig of NS replies with Additional section showing the A records for
both NSs.


> 
> > 
> > Why does only a dig NS directly to the auth server show the NS A
records?

> 
> > 
> > And/or is this expected behavior, and just be happy I got this far?

Stan


On Fri, 2017-02-17 at 08:15 +0000, Brian Candler wrote:
> 
> On 17/02/2017 06:45, stancs3 wrote:
> > 
> > 
> > Reverse doesn't work in this config, so I figure on giving up on
> > recursor.
> What do you mean by "reverse doesn't work"? Can you give a specific 
> example of what you did, what you saw, and what you expected to see?
> 
> Reverse is just another domain (under in-addr.arpa), no different to
> any 
> other.
> > 
> > 
> > I can either use my router's recursor, or perhaps set up a pdns-
> > recursor on a different VM to keep it clean. Wouldn't that be the
> > same/better than the router's?
> Most routers' built-in DNS is pretty poor - little more than a
> caching 
> forwarder to an upstream DNS (like dnsmasq), so having your own 
> pdns-recursor is likely to be much better.
> 
> If you want your authoritative DNS to be visible to the outside
> world 
> for real delegation, then it needs to listen on port 53. If you want 
> your recursive DNS to be usable by local clients, then it also needs
> to 
> listen on port 53, since most clients can't be (easily) configured
> to 
> send their DNS queries to a different port.
> 
> So, to run both auth and recursive, you need to assign two IP
> addresses. 
> Those can either be two different VMs (maximum separation), two 
> different containers, or even two different IPs in the same machine, 
> where the pns-auth and pdns-recursor processes are configured to bind
> to 
> (listen on) a different individual IP address.
> 
> You could try fancy tricks with dns-dist in front, but personally
> I'd 
> just go for the two VMs or two containers.
> 
> Don't forget redundancy. For authoritative DNS you'll want another 
> nameserver on a completely different backbone (see RFC2182). For
> client 
> redundancy, two local recursors is what you want.
> 
> HTH,
> 
> Brian.
-------------- next part --------------


>> The following are dig to recursor on port 53, which forwards to auth server on port 5300:


buddy at place:~$ dig stuf.example.com @192.168.1.10

; <<>> DiG 9.10.3-P4-Ubuntu <<>> stuf.example.com @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48144
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;stuf.example.com.		IN	A

;; AUTHORITY SECTION:
stuf.example.com.	563	IN	SOA	ns1.stuf.example.com. hostmaster.stuf.example.com. 2017021901 28800 7200 604800 86400

;; Query time: 2 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Feb 19 17:11:03 MST 2017
;; MSG SIZE  rcvd: 90

buddy at place:~$ dig ns stuf.example.com @192.168.1.10

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns stuf.example.com @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16983
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;stuf.example.com.		IN	NS

;; ANSWER SECTION:
stuf.example.com.	83385	IN	NS	ns1.stuf.example.com.
stuf.example.com.	83385	IN	NS	ns2.stuf.example.com.

;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Feb 19 17:11:20 MST 2017
;; MSG SIZE  rcvd: 78

buddy at place:~$ dig ns1.stuf.example.com @192.168.1.10

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns1.stuf.example.com @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60273
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.stuf.example.com.	IN	A

;; ANSWER SECTION:
ns1.stuf.example.com. 83358 IN	A	192.168.1.10

;; Query time: 3 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Feb 19 17:11:47 MST 2017
;; MSG SIZE  rcvd: 59

buddy at place:~$ 


===========================================================================================

The following are dig directly to the same auth server as above, on port 53: (i.e. the recursor is not used):


buddy at place:~$ dig stuf.example.com @192.168.1.11

; <<>> DiG 9.10.3-P4-Ubuntu <<>> stuf.example.com @192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53955
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;stuf.example.com.		IN	A

;; AUTHORITY SECTION:
stuf.example.com.	86400	IN	SOA	ns1.stuf.example.com. hostmaster.stuf.example.com. 2017021901 28800 7200 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Sun Feb 19 17:12:49 MST 2017
;; MSG SIZE  rcvd: 101

buddy at place:~$ dig ns stuf.example.com @192.168.1.11

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns stuf.example.com @192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9155
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;stuf.example.com.		IN	NS

;; ANSWER SECTION:
stuf.example.com.	86400	IN	NS	ns2.stuf.example.com.
stuf.example.com.	86400	IN	NS	ns1.stuf.example.com.

;; ADDITIONAL SECTION:
ns2.stuf.example.com. 86400 IN	A	192.168.1.11       << the A records,
ns1.stuf.example.com. 86400 IN	A	192.168.1.10       << not shown is test above =====

;; Query time: 4 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Sun Feb 19 17:12:59 MST 2017
;; MSG SIZE  rcvd: 121

buddy at place:~$ dig ns1.stuf.example.com @192.168.1.11

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns1.stuf.example.com @192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51366
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;ns1.stuf.example.com.	IN	A

;; ANSWER SECTION:
ns1.stuf.example.com. 86400 IN	A	192.168.1.10

;; Query time: 3 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Sun Feb 19 17:13:16 MST 2017
;; MSG SIZE  rcvd: 70

More information about the Pdns-users mailing list