[Pdns-users] problem with 4.1.0 recursion removed
Brian Candler
b.candler at pobox.com
Sat Aug 10 07:33:20 UTC 2019
On 10/08/2019 07:24, Juha Heinanen via Pdns-users wrote:
> I have been using 4.0.x pdns/recursor setup to serve DNS records of
> phone numbers. For example, a domain name in records table could be
> 1.7.6.5.4.3.2.3.8.5.3.e164.arpa. Phone numbers can be random, i.e.,
> they don't necessarily share a common prefix. The records are
> added/removed dynamically when phone numbers are allocated/released.
>
> My usage corresponds to Scenario 1 of the migration guide:
>
> https://doc.powerdns.com/authoritative/guides/recursion.html
>
> i.e,, pdns server receives queries from users, serves them itself if
> found in database and forwards to Internet otherwise.
>
> If I have understood the migration guide correctly, in 4.1.0 every time
> when a phone number is allocated/released, I would need to modify a text
> file (forward-zones variable in recursor.conf or forward-zones-file) in
> addition to updating pdns database.
* You can forward e164.arpa to your own authoritative nameserver(s) with
a single static entry, and all subdomains will be forwarded. Of course,
no other domains under e164.arpa will resolve, since you've made
yourself authoritative for the whole domain.
* You can create separate authoritative domains for each phone number
(e.g. 1.7.6.5.4.3.2.3.8.5.3.e164.arpa), and get them delegated properly,
i.e. get NS records installed under e164.arpa for those domains pointing
to your authoritative nameserver(s), by the administrator of e164.arpa.
That will let them resolve for the whole Internet, including your own
recursive resolver.
* Otherwise, it sounds like what you're doing is weird: you're spoofing
individual records under a domain you don't control, with those spoofed
records only visible to people who use your own recursor. If you really
want to do that, and do it dynamically, then maybe dnsdist with lua
scripting is the way forward. But I would consider it to be bad
practice, especially since e164.arpa is DNSSEC signed.
* Another option, if you want to publish a private phone directory, is
to do it under a domain you control - e.g. e164.yourdomain.com - and
configure your clients to look in there before looking in e164.arpa
More information about the Pdns-users
mailing list