[Pdns-users] Replacing only certain records

Jack Rabbit b2fd80ea44ef7ca2ec6172a2df5b5d at gmail.com
Mon Jun 11 22:01:51 UTC 2018

I've asked in IRC but was instructed to ask here.

I'm interested (and trying to find an ideal way) to provide a recursor
which will selectively modify certain records, or "smart DNS".

Being that some may be unaware what "smart DNS" is, it's a colloquial term
for modifying certain strategic records so that instead of pointing
directly to the original/authentic resource (say, a webserver), the traffic
is pointed to a specific address that is internally controlled - usually a
reverse proxy to the "true" resource that performs some sort of
modification on the content being served not offered by the upstream/"true"

I can't provide an actual example from implementation, because:

1.) This is still in the architectural stage, and
2.) The specific records will change from site to site.

However, I can use an existing domain as an example enough for POC
purposes. Some IP addresses are, obviously, not actual (as they have yet to
be determined). Configurations have been provided matching these.

FIRST, two reverse HTTP proxies (for round-robining) are turned up at
address and For this example, we are assuming to be
performing some modifications on http://www.w3schools.com by removing all
javascript from the pages. The specifics for this content filtering proxy
are left out for brevity and because they aren't important to the DNS
component, but this is the model I'll use for example.


$ dig +short ns w3schools.com
$ dig +short soa w3schools.com
ns1.maximumasp.com. admin.maximumasp.com. 2005122568 7200 600 1209600 3600
$ host www.w3schools.com
www.w3schools.com is an alias for cs837.wac.edgecastcdn.net.
cs837.wac.edgecastcdn.net has address
$ host -t A w3schools.com
w3schools.com has address

Second, an authoritative server is set up at for the "overridden"
records using pdns-4.1.3 on CentOS 7 via repo.powerdns.com. The following
configuration is used:

[root at auth ~]# egrep -Ev '^[[:space:]]*(#|$)' /etc/pdns/pdns.conf

(NOTE: Not shown are log settings, as they're only currently set for

With the following records (apologies for display mangling):

[root at auth ~]# mysql -e "SELECT * FROM records" [REDACTED]
| id | domain_id | name              | type |
content                                                                  |
ttl  | prio | change_date | disabled | ordername | auth |
| 32 |         2 | w3schools.com     | SOA  | ns1.maximumasp.com
admin.maximumasp.com 2005122570 7200 600 1209600 3600 | 3600 |    0
|        NULL |        0 | NULL      |    1 |
| 33 |         2 | www.w3schools.com | A    |                                                                  |
3600 |    0 |        NULL |        0 | NULL      |    1 |
| 34 |         2 | www.w3schools.com | A    |                                                                  |
3600 |    0 |        NULL |        0 | NULL      |    1 |
[root at auth ~]# mysql -e "SELECT * FROM domains" [REDACTED]
| id | name          | master | last_check | type   | notified_serial |
account |
|  2 | w3schools.com |        |       NULL | NATIVE |            NULL
|         |

Third, a recursor (pdns-recursor-4.1.3 on CentOS 7 via repo.powerdns.com)
is set up at and client machines would be configured to use this as
their resolver.

[root at resolver ~]# egrep -Ev '^[[:space:]]*(#|$)'

(NOTE: Not shown are very low TTL settings and log settings, as they're
only currently set for debugging)


I need to be able to query for www.w3schools.com and get a
round-robin reply of and instead of the CNAME record "
cs837.wac.edgecastcdn.net" (per above).

However, I need to *also* be able to query for, say, w3schools.com
(i.e. the "naked" domain) and have it return the response from the actual
authoritative nameservers (or, more accurately/ideally, the root
nameservers) (e.g. per above, Or any other domain (e.g.
google.com, etc.) and have it return the record as resolved by either or

When the SOA record above is disabled, the "naked" domain is returned fine
- *but* the record returned for www.w3schools.com is a CNAME to
cs837.wac.edgecastcdn.net (in other words, as it is "upstream").

Is there a way to have, say, the recursor query if returns
an NXDOMAIN for a record? Or the auth return a record from if it
doesn't find the record in its DB?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180611/7721deb2/attachment.html>

More information about the Pdns-users mailing list