[Pdns-users] recursor - pdns authoritative and axfr problem
b.candler at pobox.com
Tue Sep 25 10:10:04 UTC 2018
On 25/09/2018 10:45, Bernd Krueger-Knauber wrote:
>> All the recursors who query your
>> authoritative domains will get the AA flag, since they're querying an
>> authoritative server directly.
> Yes, and the pdns is also open for the complete internet, since it is
> the SOA and have to be reachable for all, and also open for all DoS attacks.
> So what is the difference to the 'open' recursor ?
powerdns-authoritative is not a recursor (recursive queries are refused).
For details of why open recursors are bad, see
Authoritative nameservers obviously must answer queries from anyone, but
they are harder to use as DoS amplifiers.
> SOA points to the a server which can answer the request with AA flag,
> since it is the master of this zone.
No. SOA is not use in resolution. It's the set of *NS* records within
the zone which are authoritative for the zone, and which recursors can
send queries to.
The SOA record contains a "master" nameserver and a contact E-mail
address, but these are really just for human debugging purposes. (Well
actually, NOTIFY and UPDATE requests should go to the master, but
recursive resolution ignores this and follows the NS records only)
> The NS records points to servers which can give fast answers for this
> zone, but also for foreign zones.
That makes no sense. The NS records for a zone point to authoritative
servers for the zone. Whether they are "fast" or not is irrelevant;
they are the *only* servers which may be queried.
"Foreign" zone is meaningless. An authoritative server will only answer
for zones which it is authoritative for, and will respond with a REFUSED
response for anything else.
> In general I still have no answer to the question why I get no AA flag
> via the recursor.
By definition, any answer from a recursive nameserver is not
authoritative, because it did not come directly from the authoritative
server. Recursors are caches. Cached data is not authoritative - it
may be stale.
> Even if I split it to ifferent IPs I get only an AA flag from the pdns.
From the pdns-authoritative server, correct. That's how it's supposed
> And still the problem: how can I tell the recursor from the database
> which domains are reachable via our own pdns.
> (to avoid that it calls an other nameserver)
Your recursor will follow the NS records, just like any other recursor,
and therefore will it will find your authoritative nameserver(s) and get
the answers from there.
If you really want, you can use domain forwarding rules in your recursor
to tell it where to forward the queries; but why do that when the NS
records do it automatically?
More information about the Pdns-users