[Pdns-users] Replacing only certain records

Jack Rabbit b2fd80ea44ef7ca2ec6172a2df5b5d at gmail.com
Mon Jun 11 22:01:51 UTC 2018 

I've asked in IRC but was instructed to ask here.

I'm interested (and trying to find an ideal way) to provide a recursor
which will selectively modify certain records, or "smart DNS".

Being that some may be unaware what "smart DNS" is, it's a colloquial term
for modifying certain strategic records so that instead of pointing
directly to the original/authentic resource (say, a webserver), the traffic
is pointed to a specific address that is internally controlled - usually a
reverse proxy to the "true" resource that performs some sort of
modification on the content being served not offered by the upstream/"true"
resource.

I can't provide an actual example from implementation, because:

1.) This is still in the architectural stage, and
2.) The specific records will change from site to site.

However, I can use an existing domain as an example enough for POC
purposes. Some IP addresses are, obviously, not actual (as they have yet to
be determined). Configurations have been provided matching these.

FIRST, two reverse HTTP proxies (for round-robining) are turned up at
address 1.2.3.4 and 4.3.2.1. For this example, we are assuming to be
performing some modifications on http://www.w3schools.com by removing all
javascript from the pages. The specifics for this content filtering proxy
are left out for brevity and because they aren't important to the DNS
component, but this is the model I'll use for example.

Authoritatively:

$ dig +short ns w3schools.com
ns2.maximumasp.com.
ns1.maximumasp.com.
$ dig +short soa w3schools.com
ns1.maximumasp.com. admin.maximumasp.com. 2005122568 7200 600 1209600 3600
$ host www.w3schools.com
www.w3schools.com is an alias for cs837.wac.edgecastcdn.net.
cs837.wac.edgecastcdn.net has address 192.229.173.207
$ host -t A w3schools.com
w3schools.com has address 66.29.212.110

Second, an authoritative server is set up at 1.1.1.1 for the "overridden"
records using pdns-4.1.3 on CentOS 7 via repo.powerdns.com. The following
configuration is used:

[root at auth ~]# egrep -Ev '^[[:space:]]*(#|$)' /etc/pdns/pdns.conf
daemon=no
dnsupdate=yes
guardian=no
launch=gmysql
gmysql-host=localhost
gmysql-user=[REDACTED]
gmysql-dbname=[REDACTED]
gmysql-password=[REDACTED]
local-address-nonexist-fail=no
resolver=8.8.8.8
setgid=pdns
setuid=pdns
version-string=anonymous

(NOTE: Not shown are log settings, as they're only currently set for
debugging)

With the following records (apologies for display mangling):

[root at auth ~]# mysql -e "SELECT * FROM records" [REDACTED]
+----+-----------+-------------------+------+--------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| id | domain_id | name              | type |
content                                                                  |
ttl  | prio | change_date | disabled | ordername | auth |
+----+-----------+-------------------+------+--------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
| 32 |         2 | w3schools.com     | SOA  | ns1.maximumasp.com
admin.maximumasp.com 2005122570 7200 600 1209600 3600 | 3600 |    0
|        NULL |        0 | NULL      |    1 |
| 33 |         2 | www.w3schools.com | A    |
1.2.3.4                                                                  |
3600 |    0 |        NULL |        0 | NULL      |    1 |
| 34 |         2 | www.w3schools.com | A    |
4.3.2.1                                                                  |
3600 |    0 |        NULL |        0 | NULL      |    1 |
+----+-----------+-------------------+------+--------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+
[root at auth ~]# mysql -e "SELECT * FROM domains" [REDACTED]
+----+---------------+--------+------------+--------+-----------------+---------+
| id | name          | master | last_check | type   | notified_serial |
account |
+----+---------------+--------+------------+--------+-----------------+---------+
|  2 | w3schools.com |        |       NULL | NATIVE |            NULL
|         |
+----+---------------+--------+------------+--------+-----------------+---------+


Third, a recursor (pdns-recursor-4.1.3 on CentOS 7 via repo.powerdns.com)
is set up at 1.1.1.2 and client machines would be configured to use this as
their resolver.
Configuration:

[root at resolver ~]# egrep -Ev '^[[:space:]]*(#|$)'
/etc/pdns-recursor/recursor.conf
setuid=pdns-recursor
setgid=pdns-recursor
disable-packetcache=yes
forward-zones=.=1.1.1.1;8.8.8.8
local-address=0.0.0.0

(NOTE: Not shown are very low TTL settings and log settings, as they're
only currently set for debugging)


THE TL;DR:

I need to be able to query 1.1.1.2 for www.w3schools.com and get a
round-robin reply of 1.2.3.4 and 4.3.2.1 instead of the CNAME record "
cs837.wac.edgecastcdn.net" (per above).

However, I need to *also* be able to query 1.1.1.2 for, say, w3schools.com
(i.e. the "naked" domain) and have it return the response from the actual
authoritative nameservers (or, more accurately/ideally, the root
nameservers) (e.g. per above, 66.29.212.110). Or any other domain (e.g.
google.com, etc.) and have it return the record as resolved by either
1.1.1.1 or 1.1.1.2.

When the SOA record above is disabled, the "naked" domain is returned fine
- *but* the record returned for www.w3schools.com is a CNAME to
cs837.wac.edgecastcdn.net (in other words, as it is "upstream").

Is there a way to have, say, the recursor query 8.8.8.8 if 1.1.1.1 returns
an NXDOMAIN for a record? Or the auth return a record from 8.8.8.8 if it
doesn't find the record in its DB?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180611/7721deb2/attachment.html>

More information about the Pdns-users mailing list