[Pdns-users] recursor - pdns authoritative and axfr problem
b.candler at pobox.com
Tue Sep 25 07:35:08 UTC 2018
On 25/09/2018 08:12, Bernd Krueger-Knauber wrote:
> In general it is working: I can query own domains and foreign ones.
> But ...
Presumably through the recursor??
> If I querry the pdns directly (localhost 5300) with dig, I get the AA flag.
> If I querry via the recursor from 'outside' I don't get it.
Note that open recursors are routinely discovered and exploited for DoS
attacks. So if your recursor is open to the public Internet, you need
to ensure that it only answers recursive queries from trusted IP ranges.
(This is easy to test: from outside, "dig @x.x.x.x google.com. a". You
should get a REFUSED response. If you get a real answer, you are
> Ok, auth-zones. But I can not provide them manually, because I don't
> know when someone adds a new zone via web.
If you are following a guide which suggests putting recursor in front of
auth, this would have been a workaround for people migrating from a
setup with a mixed authoritative + recursive server (e.g. default BIND
config). However, best practice is that you separate them completely:
that's why PowerDNS now comes as separate authoritative and recursive
Therefore, you should simply put the authoritative server on one IP
address (accessible to the Internet), and the recursor on a different IP
address, both listening on port 53. You can either bind the two
processes to two different IP addresses on the same host, or put them in
different VMs or containers.
The NS records for your authoritative domains then point to your
authoritative servers - your local one plus your off-site secondaries.
(You do have off-site secondaries don't you? See RFC 2182). And
everything Just Works™. All the recursors who query your authoritative
domains will get the AA flag, since they're querying an authoritative
Another approach is to treat your internal authoritative server as a
"hidden primary". You build two or more auth servers on the public
Internet, and list them in NS records, but *don't* list your hidden
primary. These servers then replicate their mysql databases from the
one in your auth server.
More information about the Pdns-users