[Pdns-users] recursor - pdns authoritative and axfr problem

Bernd Krueger-Knauber bkk at ednt.de
Tue Sep 25 09:45:59 UTC 2018

> On 25/09/2018 08:12, Bernd Krueger-Knauber wrote:
>> In general it is working: I can query own domains and foreign ones.
>> But ...
> Presumably through the recursor??
>> If I querry the pdns directly (localhost 5300) with dig, I get the AA
>> flag.
>> If I querry via the recursor from 'outside' I don't get it.
> Note that open recursors are routinely discovered and exploited for
> DoS attacks.  So if your recursor is open to the public Internet, you
> need to ensure that it only answers recursive queries from trusted IP
> ranges.
> (This is easy to test: from outside, "dig @x.x.x.x google.com. a". You
> should get a REFUSED response.  If you get a real answer, you are
> vulnerable)
>> Ok, auth-zones. But I can not provide them manually, because I don't
>> know when someone adds a new zone via web.
> If you are following a guide which suggests putting recursor in front
> of auth, this would have been a workaround for people migrating from a
> setup with a mixed authoritative + recursive server (e.g. default BIND
> config).  However, best practice is that you separate them completely:
> that's why PowerDNS now comes as separate authoritative and recursive
> servers.
> Therefore, you should simply put the authoritative server on one IP
> address (accessible to the Internet), and the recursor on a different
> IP address, both listening on port 53.  You can either bind the two
> processes to two different IP addresses on the same host, or put them
> in different VMs or containers.
> The NS records for your authoritative domains then point to your
> authoritative servers - your local one plus your off-site
> secondaries.  (You do have off-site secondaries don't you? See RFC
> 2182).  
We have more then one ns :)
> And everything Just Works™.  All the recursors who query your
> authoritative domains will get the AA flag, since they're querying an
> authoritative server directly.
Yes, and the pdns is also open for the complete internet, since it is
the SOA and have to be reachable for all, and also open for all DoS attacks.
So what is the difference to the 'open' recursor ?

> Another approach is to treat your internal authoritative server as a
> "hidden primary".  You build two or more auth servers on the public
> Internet, and list them in NS records, but *don't* list your hidden
> primary.  These servers then replicate their mysql databases from the
> one in your auth server.
> HTH,
> Brian.

I understand the concept as follows:
SOA points to the a server which can answer the request with AA flag,
since it is the master of this zone.
The NS records points to servers which can give fast answers for this
zone, but also for foreign zones.

In general I still have no answer to the question why I get no AA flag
via the recursor.
Even if I split it to ifferent IPs I get only an AA flag from the pdns.
And still the problem: how can I tell the recursor from the database
which domains are reachable via our own pdns.
(to avoid that it calls an other nameserver)

More information about the Pdns-users mailing list