[Pdns-users] recursor - pdns authoritative and axfr problem

Brian Candler b.candler at pobox.com
Tue Sep 25 10:47:46 UTC 2018 

[please reply to list]

On 25/09/2018 11:22, Bernd Krueger-Knauber wrote:
> At our customers routers we give them 2 IP adresses of recursers as NS
> entries, which have no official NS entries pointing to them self (no
> real NS).
Yes: recursors don't have NS records pointing at them.  The clients 
learn the IP addresses of the recursors through DHCP, or manual 
configuration.

> We restrict the recursors to the IP-ranges of our network addresses.
Yes.  This avoids abuse of your recursors.  (Or you can keep your 
recursors on a private network, or behind a firewall which doesn't allow 
inbound connections).

> We place our 'real' pdns directly in the internet.
If by 'real' you mean pdns-authoritative, yes.

Alternatively, don't put it on the Internet, but make your domain's 
public authoritative nameservers slave or replicate from it.

Even if you do put it on the Internet, you still need at least one other 
nameserver to replicate from it, on a different network and ideally a 
different continent (RFC 2182).

> We tell the recursor to ask first our pdns, then someone else.
No.

Your recursor will automatically follow the delegations from nameservers 
on the Internet.  If the recursor wants to resolve www.example.com:

- first it queries the root nameservers, which will return a delegation 
(NS records) pointing to .com nameservers
- it asks one of them, which will return a delegation to example.com 
nameservers
- it asks one of them, which gives the final answer
- all the answers, intermediate and final, are cached

This works the same for your own domains as for anybody else's domains.  
To see a demo of this in action, try:

$ dig +trace www.google.com  # or domain of your choice

You don't need to configure the recursor to do this - unless the domain 
is private (unregistered, or not delegated).

As an example: if you want to do reverse DNS for private IP addresses, 
you will need to forward the domains like 168.192.in-addr.arpa or 
10.in-addr.arpa to your authoritative servers, because you can't get 
real delegation in the public DNS for this.

As another example: if you have the domain foo.com, and you want to 
create a domain int.foo.com which is *only* resolvable on your network 
and not in the public Internet, then you can create int.foo.com but 
*not* add NS records for it.  Then the recursor must be configured to 
forward int.foo.com to the auth server.

Regards,

Brian.

More information about the Pdns-users mailing list