[Pdns-users] questions of understanding pdns-recursor with hosts-file

Markus Ehrlicher Markus.Ehrlicher at komsa.de
Tue Sep 8 06:05:40 UTC 2020


Hello together,

can anyone reproduce this problem or should I open a ticket on github?

Thanks and best regards,
Markus

Von: Markus Ehrlicher
Gesendet: Dienstag, 1. September 2020 11:53
An: pdns-users at mailman.powerdns.com
Betreff: questions of understanding pdns-recursor with hosts-file

Hello together,

I'am a little confused about the "export-etc-hosts"-switch. I use latest pdns-recursor in version 4.3.3 on Ubuntu 20.04.
Because of problems with firewall, NAT and external IPs, we have to redirect some (not all) DNS-Entries to internal IPs instead of public available IPs. For this purpose I installed this extra server, to insert the needed entries in the hosts-file and activated "export-etc-hosts" in pdns-recursor.conf.

Now my problem: if the root domain (in my example benchmaxx.de) is included in this hosts-file, the recursor seems to feel authoritative for the whole domain and trys to answers all other requests for subdomains from benchmaxx.de (in my example test.benchmaxx.de) with NXDOMAIN.
Here are the logs for this behavior:

Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] question for 'test.benchmaxx.de|A' from 10.10.2.26:45074
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for A
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME'
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Domain is out-of-band
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: auth storage has data, zone='benchmaxx.de'
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: accept answer 'benchmaxx.de|SOA|localhost. root. 1 604800 86400 2419200 604800' from 'benchmaxx.de' nameservers? ttl=7200, place=2 YES! - This answer was retrieved from the local auth store.
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: determining status after receiving this packet
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: got negative caching indication for name 'test.benchmaxx.de' (accept=1), newtarget='(empty)'
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: status=NXDOMAIN, we are done (have negative SOA)
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: failed (res=3)
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] answer to question 'test.benchmaxx.de|A': 0 answers, 0 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3

If I comment out benchmaxx.de in the hosts-file, all is fine and the request for test.benchmaxx.de is answered correctly:

Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] question for 'test.benchmaxx.de|A' from 10.10.2.26:49295
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for A
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has hardcoded nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: Nameservers: +217.119.211.10:53(2.11ms), +217.119.214.10:53(2.93ms)
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' NS (empty) to: 217.119.211.10, 217.119.214.10
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 217.119.211.10:53, asking 'test.benchmaxx.de|A'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 answers from (empty) (217.119.211.10), rcode=0 (No Error), aa=0, in 13ms
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept answer 'test.benchmaxx.de|A|2.2.2.2' from '.' nameservers? ttl=3600, place=1 YES! - This answer was received from a server we forward to.
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer '.' from '.' nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: : got initial zone status Indeterminate for record test.benchmaxx.de|A
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining status after receiving this packet
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: answer is in: resolved to '2.2.2.2|A'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=got results, this level of recursion done
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: validation status is Indeterminate
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] answer to question 'test.benchmaxx.de|A': 1 answers, 0 additional, took 1 packets, 13.069 netw ms, 13.317 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] question for 'test.benchmaxx.de|AAAA' from 10.10.2.26:33182
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for AAAA
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|AAAA', trying to find an appropriate NS record
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has hardcoded nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: Nameservers: +217.119.214.10:53(2.93ms), +217.119.211.10:53(13.01ms)
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' NS (empty) to: 217.119.214.10, 217.119.211.10
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 217.119.214.10:53, asking 'test.benchmaxx.de|AAAA'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 answers from (empty) (217.119.214.10), rcode=0 (No Error), aa=0, in 11ms
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept answer 'benchmaxx.de|SOA|ns3.komsa.net. root.ns3.komsa.net. 2020090101 10800 3600 604800 3600' from '.' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer '.' from '.' nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining status after receiving this packet
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: got negative caching indication for 'test.benchmaxx.de|AAAA'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=noerror, other types may exist, but we are done (have negative SOA)
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] answer to question 'test.benchmaxx.de|AAAA': 0 answers, 0 additional, took 1 packets, 11.155 netw ms, 11.244 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0

So my question is: is this behavior normal and intended?

Thanks and best regards,
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200908/61782f08/attachment.htm>


More information about the Pdns-users mailing list