[Pdns-users] SERVFAIL on backend failure - is this possible?

Vytenis A vytenis.adm at gmail.com
Wed Feb 26 09:24:42 UTC 2020 

UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500,
and SOA returns 200.

We would like to keep SOA record statically defined in our backend,
and TXT is quered in DB. I guess pDNS treats remote DNS store as
healthy if SOA is OK, ignoring subsequent request status.

On Wed, Feb 26, 2020 at 10:55 AM Vytenis A <vytenis.adm at gmail.com> wrote:
>
> Hi Aki!
>
> Ok, so I've implemented SOA into remote backend and dropped bind
> completely. The only backend active now is "remote"
>
> If I provide invalid connection string to a closed port - I get
> REFUSED, which is good
>
> But our concern is that our HTTP backend could start misbehaving
> (returining 40x, 50x errors, invalid responses). During tests we
> forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a
> way to provide REFUSED/SERVFAIL in case http backend is misbehaving?
>
> On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi <cmouse at cmouse.fi> wrote:
> >
> > Hi!
> >
> > It is not really supported to split domains like this. You need to host
> > the entire domain in remote backend.
> >
> > Aki
> >
> > On 26.2.2020 2.00, Vytenis A via Pdns-users wrote:
> > > Hi Bert,
> > >
> > > Thanks for a prompt reply.
> > >
> > > This is currently on my local test VM, it's waay past midnight, I can
> > > put it on resolvable domain tomorrow if this isn't helpful. Not sure
> > > how to show you this exactly :)
> > >
> > > I'm using latest pDNS, using official repo:
> > >
> > > pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908
> > >
> > >
> > > Two backends:
> > >
> > > # /etc/pdns/pdns.conf:
> > >
> > > config-dir=/etc/pdns
> > > setuid=pdns
> > > setgid=pdns
> > > log-dns-details=yes
> > > log-dns-queries=yes
> > > loglevel=6
> > > launch=bind,remote
> > > bind-config=/etc/pdns/bind-files/named.conf
> > > remote-connection-string=http:url=http://invalidhostname:99999
> > >
> > >
> > > Static bind backend contains one zone, which contains SOA and one 'IN
> > > NS' record only.
> > >
> > > http endpoint is serving TXT records exclusively, and all is well if
> > > it's reachable: queries get resolved, nonexistent TXT records get
> > > NXDOMAIN
> > >
> > > But if http endpoint is invalidated (as in example above ^) - I get
> > > NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED,
> > > which is somewhat the same as SERVFAIL afaik.
> > >
> > > bind backend is used to keep SOA out of "remote" backend, not 100%
> > > sure it's the best way. We could implement entire zone in http backend
> > > as a last resort.
> > >
> > > Thanks again!
> > >
> > >
> > >
> > >
> > > On Wed, Feb 26, 2020 at 12:51 AM bert hubert <bert.hubert at powerdns.com> wrote:
> > >> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote:
> > >>> While trying to implement authoritative DNS server using "remote"
> > >>> backend, I've stumbled into an issue when HTTP backend is unreachable
> > >>> - PowerDNS is returning NXDOMAIN.
> > >> Can you reproduce this for us so we can check? It is not supposed to ever
> > >> happen. Please also let us know which version of PowerDNS you are using.
> > >>
> > >>> What I would like to achieve is return SERVFAIL in case my HTTP
> > >>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend
> > >>> could assist here?
> > >> This is what should be happening.
> > >>
> > >>         Bert
> > >>
> > >
>
>
>
> --
> Vytenis



-- 
Vytenis

More information about the Pdns-users mailing list