[Pdns-users] Recursor to Respond Authoritatively for all Queries
Brian Candler
b.candler at pobox.com
Wed Oct 17 08:02:47 UTC 2018
On 17/10/2018 10:43, Asanka Gunasekara wrote:
> The issue I currently have is that when I test the records via
> intodns.com or some other DNS check servers they report back saying
> lame servers.
>
> Under recursor.conf, I have the following two lines basically
> forwarding all queries to the authoritative server.
> forward-zones=.=127.0.0.1:5300
> forward-zones-recurse=.=127.0.0.1:5300
>
> Is there a way to configure the recursor to answer authoritatively for
> all queries? Say for example via Lua script with setAA() function perhaps?
No - I'm afraid you can't do it this way. Your authoritative server
must be bound to port 53 if it's accepting queries from the outside world.
You options are:
1. Run your recursor and authoritative server bound to two different IP
addresses (or in separate VMs or containers with their own IPs)
or
2. Don't list your authoritative server in the NS records, and instead
use it as a "hidden primary". That is, you have two or more additional
nameservers on public IPs, which are listed in NS records, and they get
their zone content from the hidden primary (either by a zone transfer
from x.x.x.x:5300, or by database replication)
Final note: please don't use forward-zones to forward all queries to an
authoritative server, since it's not authoritative for the whole
Internet. You should rarely need forward-zones at all: as long as the
NS records for your domain point to your authoritative servers, the
recursor will find them by itself. Forward-zones are normally used for
private domains which can't be delegated (e.g. localhost,
168.192.in-addr.arpa)
HTH,
Brian.
More information about the Pdns-users
mailing list