[Pdns-users] Powerdns server is not passing Authority parameter
Markus Ehrlicher
Markus.Ehrlicher at komsa.de
Tue Jan 19 09:58:06 UTC 2021
Sorry, wrong result posted:
dig google.de @ns1.google.com
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> google.de @ns1.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42438
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.de. IN A
;; ANSWER SECTION:
google.de. 300 IN A 172.217.18.99
;; Query time: 16 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Tue Jan 19 10:46:20 CET 2021
;; MSG SIZE rcvd: 54
Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Markus Ehrlicher via Pdns-users
Gesendet: Dienstag, 19. Januar 2021 10:56
An: pdns-users at mailman.powerdns.com
Betreff: Re: [Pdns-users] Powerdns server is not passing Authority parameter
This is normal behavior. The aa-flag is the right point to look at and at your dig-results to port 5300, this flag ist set.
Compare your results with „dig google.de @ns1.google.com“:
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.google.de<http://www.google.de> @ns1.komsa.net SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16618
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.de. IN SOA
;; AUTHORITY SECTION:
google.de. 60 IN SOA ns1.google.com. dns-admin.google.com. 352375909 900 900 1800 60
;; Query time: 27 msec
;; SERVER: 217.119.211.10#53(217.119.211.10)
;; WHEN: Tue Jan 19 10:43:36 CET 2021
;; MSG SIZE rcvd: 102
root at markusehrlicher:~# dig google.de @ns1.google.com
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> google.de @ns1.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42438
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.de. IN A
;; ANSWER SECTION:
google.de. 300 IN A 172.217.18.99
Von: Dedan Irungu <dedanirungu at gmail.com<mailto:dedanirungu at gmail.com>>
Gesendet: Dienstag, 19. Januar 2021 10:51
An: Markus Ehrlicher <Markus.Ehrlicher at komsa.de<mailto:Markus.Ehrlicher at komsa.de>>
Betreff: Re: [Pdns-users] Powerdns server is not passing Authority parameter
When I perform a dig the section on Authority is zero.
dig @85.10.203.183<http://85.10.203.183> gifsitebuilder.com<http://gifsitebuilder.com> A -p 53
; <<>> DiG 9.16.1-Ubuntu <<>> @85.10.203.183<http://85.10.203.183> gifsitebuilder.com<http://gifsitebuilder.com> A -p 53
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31345
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
Also dns checker was returning as not authoritative.
https://mxtoolbox.com/SuperTool.aspx?action=dns%3aessyfortunes.com&run=toolpage
On Tue, Jan 19, 2021 at 12:40 PM Markus Ehrlicher via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:
Hello,
where do you get the information from your dig-answer, that the server is not authoritative?
Best regards,
Markus
Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com<mailto:pdns-users-bounces at mailman.powerdns.com>> Im Auftrag von frank+pdns--- via Pdns-users
Gesendet: Dienstag, 19. Januar 2021 10:21
An: Dedan Irungu <dedanirungu at gmail.com<mailto:dedanirungu at gmail.com>>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Betreff: Re: [Pdns-users] Powerdns server is not passing Authority parameter
Hi,
Could you share the configuration of the PDNS Auth server please?
Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be<http://Kiwazo.be>
On 19 Jan 2021, at 10:08, Dedan Irungu via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:
I have made the changes request as soon below. The server does not serve authoritative results.
setLocal('85.10.203.183')
setACL({'0.0.0.0/0<http://0.0.0.0/0>', '::/0'}) -- Allow all IPs access
newServer({address='85.10.203.183:5300<http://85.10.203.183:5300/>', pool='auth'})
newServer({address='85.10.203.183:5301<http://85.10.203.183:5301/>', pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.1/8<http://127.0.0.1/8>') -- These network masks are the ones from allow-recursion in the Authoritative Server
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
I have tried to target powerdns directly via port 5300 but the result is the same. Any dig performed on port 5300 should be authoritative but in this case it is not.
dig @85.10.203.183<http://85.10.203.183/> gifsitebuilder.com<http://gifsitebuilder.com/> A -p 5300
On Tue, Jan 19, 2021 at 11:51 AM Brian Candler <b.candler at pobox.com<mailto:b.candler at pobox.com>> wrote:
On 19/01/2021 08:40, Dedan Irungu via Pdns-users wrote:
recursive_ips:addMask('0.0.0.0/0<http://0.0.0.0/0>') -- These network masks are the ones from allow-recursion in the Authoritative Server
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
These two lines together say: "for incoming queries from *any* IP addresses: send them to the recursor".
Try changing the first one to something like:
recursive_ips:addMask('192.168.0.0/16<http://0.0.0.0/0>') -- netblock containing your local clients
Then queries from 192.168.x.x will go to the recursor, whereas queries from any *other* addresses will go to the authoritative server.
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<http://Kiwazo.be>
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210119/2856849f/attachment-0001.htm>
More information about the Pdns-users
mailing list