[Pdns-users] PowerDNS and CNAMEs

Brian Candler b.candler at pobox.com
Fri Jul 21 14:48:01 UTC 2017 

On 21/07/2017 15:21, Rune Sørensen wrote:
> OK, dig outputs using the actual domain.
The server 10.255.0.3 that you are running dig against: is it running 
pdns-server (the authoritative server), or pdns-recursor?

If it's pdns-server, then I would not expect it to return any results 
for a domain other than those it's authoritative for. That's unless you 
have set the "recursor" option - have you done so?

https://doc.powerdns.com/md/authoritative/recursion/

If it's pdns-recursor, then it should always send queries to the 
authoritative nameservers listed in NS records for the domains in 
question (i.e. cloudflare in this case), unless you have configured 
forward-zones.

It seems to me that you are running the authoritative server.  The only 
oddball I can see is your case 3. Something, somewhere, is doing a 
recursive lookup to get the A records for bbc.co.uk.

I don't think it's cloudflare:

$ dig @alan.ns.cloudflare.com. test3.flcn.io. cname

; <<>> DiG 9.8.3-P1 <<>> @alan.ns.cloudflare.com. test3.flcn.io. cname
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10682
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test3.flcn.io.            IN    CNAME

;; ANSWER SECTION:
test3.flcn.io.        300    IN    CNAME    bbc.co.uk.

;; Query time: 29 msec
;; SERVER: 2400:cb00:2049:1::adf5:3b39#53(2400:cb00:2049:1::adf5:3b39)
;; WHEN: Fri Jul 21 15:41:16 2017
;; MSG SIZE  rcvd: 54

$ dig @alan.ns.cloudflare.com. test3.flcn.io. a

; <<>> DiG 9.8.3-P1 <<>> @alan.ns.cloudflare.com. test3.flcn.io. a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21446
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test3.flcn.io.            IN    A

;; ANSWER SECTION:
test3.flcn.io.        300    IN    CNAME    bbc.co.uk.

;; Query time: 26 msec
;; SERVER: 2400:cb00:2049:1::adf5:3b39#53(2400:cb00:2049:1::adf5:3b39)
;; WHEN: Fri Jul 21 15:41:19 2017
;; MSG SIZE  rcvd: 54

So presumably it is at your side.  If you have recursion enabled in 
pdns-server, then I think you should move away from it - it has been 
removed in pdns-server 4.1.0 anyway.

Regards,

Brian.

More information about the Pdns-users mailing list