[Pdns-users] questions of understanding pdns-recursor with hosts-file
Otto Moerbeek
otto at drijf.net
Tue Sep 8 06:23:27 UTC 2020
On Tue, Sep 08, 2020 at 06:05:40AM +0000, Markus Ehrlicher via Pdns-users wrote:
> Hello together,
>
> can anyone reproduce this problem or should I open a ticket on github?
I wanted to look into this, but I did not have time yet. Without
looking at the code but knowing some details of the auth zone mechanism,
I'm not surprised by what you are seeing.
-Otto
>
> Thanks and best regards,
> Markus
>
> Von: Markus Ehrlicher
> Gesendet: Dienstag, 1. September 2020 11:53
> An: pdns-users at mailman.powerdns.com
> Betreff: questions of understanding pdns-recursor with hosts-file
>
> Hello together,
>
> I'am a little confused about the "export-etc-hosts"-switch. I use latest pdns-recursor in version 4.3.3 on Ubuntu 20.04.
> Because of problems with firewall, NAT and external IPs, we have to redirect some (not all) DNS-Entries to internal IPs instead of public available IPs. For this purpose I installed this extra server, to insert the needed entries in the hosts-file and activated "export-etc-hosts" in pdns-recursor.conf.
>
> Now my problem: if the root domain (in my example benchmaxx.de) is included in this hosts-file, the recursor seems to feel authoritative for the whole domain and trys to answers all other requests for subdomains from benchmaxx.de (in my example test.benchmaxx.de) with NXDOMAIN.
> Here are the logs for this behavior:
>
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] question for 'test.benchmaxx.de|A' from 10.10.2.26:45074
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for A
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME'
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Domain is out-of-band
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: auth storage has data, zone='benchmaxx.de'
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: accept answer 'benchmaxx.de|SOA|localhost. root. 1 604800 86400 2419200 604800' from 'benchmaxx.de' nameservers? ttl=7200, place=2 YES! - This answer was retrieved from the local auth store.
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: determining status after receiving this packet
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: got negative caching indication for name 'test.benchmaxx.de' (accept=1), newtarget='(empty)'
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: status=NXDOMAIN, we are done (have negative SOA)
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: failed (res=3)
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] answer to question 'test.benchmaxx.de|A': 0 answers, 0 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3
>
> If I comment out benchmaxx.de in the hosts-file, all is fine and the request for test.benchmaxx.de is answered correctly:
>
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] question for 'test.benchmaxx.de|A' from 10.10.2.26:49295
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for A
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has hardcoded nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: Nameservers: +217.119.211.10:53(2.11ms), +217.119.214.10:53(2.93ms)
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' NS (empty) to: 217.119.211.10, 217.119.214.10
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 217.119.211.10:53, asking 'test.benchmaxx.de|A'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 answers from (empty) (217.119.211.10), rcode=0 (No Error), aa=0, in 13ms
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept answer 'test.benchmaxx.de|A|2.2.2.2' from '.' nameservers? ttl=3600, place=1 YES! - This answer was received from a server we forward to.
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer '.' from '.' nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: : got initial zone status Indeterminate for record test.benchmaxx.de|A
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining status after receiving this packet
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: answer is in: resolved to '2.2.2.2|A'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=got results, this level of recursion done
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: validation status is Indeterminate
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] answer to question 'test.benchmaxx.de|A': 1 answers, 0 additional, took 1 packets, 13.069 netw ms, 13.317 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] question for 'test.benchmaxx.de|AAAA' from 10.10.2.26:33182
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for AAAA
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|AAAA', trying to find an appropriate NS record
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has hardcoded nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: Nameservers: +217.119.214.10:53(2.93ms), +217.119.211.10:53(13.01ms)
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' NS (empty) to: 217.119.214.10, 217.119.211.10
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 217.119.214.10:53, asking 'test.benchmaxx.de|AAAA'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 answers from (empty) (217.119.214.10), rcode=0 (No Error), aa=0, in 11ms
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept answer 'benchmaxx.de|SOA|ns3.komsa.net. root.ns3.komsa.net. 2020090101 10800 3600 604800 3600' from '.' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer '.' from '.' nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining status after receiving this packet
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: got negative caching indication for 'test.benchmaxx.de|AAAA'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=noerror, other types may exist, but we are done (have negative SOA)
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] answer to question 'test.benchmaxx.de|AAAA': 0 answers, 0 additional, took 1 packets, 11.155 netw ms, 11.244 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
>
> So my question is: is this behavior normal and intended?
>
> Thanks and best regards,
> Markus
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list