[Pdns-users] recursor - pdns authoritative and axfr problem

Brian Candler b.candler at pobox.com
Tue Sep 25 07:35:08 UTC 2018

On 25/09/2018 08:12, Bernd Krueger-Knauber wrote:
> In general it is working: I can query own domains and foreign ones.
> But ...
Presumably through the recursor??
> If I querry the pdns directly (localhost 5300) with dig, I get the AA flag.
> If I querry via the recursor from 'outside' I don't get it.
Note that open recursors are routinely discovered and exploited for DoS 
attacks.  So if your recursor is open to the public Internet, you need 
to ensure that it only answers recursive queries from trusted IP ranges.

(This is easy to test: from outside, "dig @x.x.x.x google.com. a". You 
should get a REFUSED response.  If you get a real answer, you are 
> Ok, auth-zones. But I can not provide them manually, because I don't
> know when someone adds a new zone via web.
If you are following a guide which suggests putting recursor in front of 
auth, this would have been a workaround for people migrating from a 
setup with a mixed authoritative + recursive server (e.g. default BIND 
config).  However, best practice is that you separate them completely: 
that's why PowerDNS now comes as separate authoritative and recursive 

Therefore, you should simply put the authoritative server on one IP 
address (accessible to the Internet), and the recursor on a different IP 
address, both listening on port 53.  You can either bind the two 
processes to two different IP addresses on the same host, or put them in 
different VMs or containers.

The NS records for your authoritative domains then point to your 
authoritative servers - your local one plus your off-site secondaries.  
(You do have off-site secondaries don't you? See RFC 2182).  And 
everything Just Works™.  All the recursors who query your authoritative 
domains will get the AA flag, since they're querying an authoritative 
server directly.

Another approach is to treat your internal authoritative server as a 
"hidden primary".  You build two or more auth servers on the public 
Internet, and list them in NS records, but *don't* list your hidden 
primary.  These servers then replicate their mysql databases from the 
one in your auth server.



More information about the Pdns-users mailing list