[Pdns-users] problem with 4.1.0 recursion removed

Brian Candler b.candler at pobox.com
Sat Aug 10 07:33:20 UTC 2019

On 10/08/2019 07:24, Juha Heinanen via Pdns-users wrote:
> I have been using 4.0.x pdns/recursor setup to serve DNS records of
> phone numbers.  For example, a domain name in records table could be
>  Phone numbers can be random, i.e.,
> they don't necessarily share a common prefix.  The records are
> added/removed dynamically when phone numbers are allocated/released.
> My usage corresponds to Scenario 1 of the migration guide:
> https://doc.powerdns.com/authoritative/guides/recursion.html
> i.e,, pdns server receives queries from users, serves them itself if
> found in database and forwards to Internet otherwise.
> If I have understood the migration guide correctly, in 4.1.0 every time
> when a phone number is allocated/released, I would need to modify a text
> file (forward-zones variable in recursor.conf or forward-zones-file) in
> addition to updating pdns database.

* You can forward e164.arpa to your own authoritative nameserver(s) with 
a single static entry, and all subdomains will be forwarded.  Of course, 
no other domains under e164.arpa will resolve, since you've made 
yourself authoritative for the whole domain.

* You can create separate authoritative domains for each phone number 
(e.g., and get them delegated properly, 
i.e. get NS records installed under e164.arpa for those domains pointing 
to your authoritative nameserver(s), by the administrator of e164.arpa.  
That will let them resolve for the whole Internet, including your own 
recursive resolver.

* Otherwise, it sounds like what you're doing is weird: you're spoofing 
individual records under a domain you don't control, with those spoofed 
records only visible to people who use your own recursor.  If you really 
want to do that, and do it dynamically, then maybe dnsdist with lua 
scripting is the way forward.  But I would consider it to be bad 
practice, especially since e164.arpa is DNSSEC signed.

* Another option, if you want to publish a private phone directory, is 
to do it under a domain you control - e.g. e164.yourdomain.com - and 
configure your clients to look in there before looking in e164.arpa

More information about the Pdns-users mailing list