[Pdns-users] Powerdns server is not passing Authority parameter

Markus Ehrlicher Markus.Ehrlicher at komsa.de
Tue Jan 19 09:58:06 UTC 2021 

Sorry, wrong result posted:

dig google.de @ns1.google.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> google.de @ns1.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42438
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.de.                     IN      A

;; ANSWER SECTION:
google.de.              300     IN      A       172.217.18.99

;; Query time: 16 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Tue Jan 19 10:46:20 CET 2021
;; MSG SIZE  rcvd: 54



Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Markus Ehrlicher via Pdns-users
Gesendet: Dienstag, 19. Januar 2021 10:56
An: pdns-users at mailman.powerdns.com
Betreff: Re: [Pdns-users] Powerdns server is not passing Authority parameter

This is normal behavior. The aa-flag is the right point to look at and at your dig-results to port 5300, this flag ist set.
Compare your results with „dig google.de @ns1.google.com“:

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.google.de<http://www.google.de> @ns1.komsa.net SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16618
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.de.                 IN      SOA

;; AUTHORITY SECTION:
google.de.              60      IN      SOA     ns1.google.com. dns-admin.google.com. 352375909 900 900 1800 60

;; Query time: 27 msec
;; SERVER: 217.119.211.10#53(217.119.211.10)
;; WHEN: Tue Jan 19 10:43:36 CET 2021
;; MSG SIZE  rcvd: 102

root at markusehrlicher:~# dig google.de @ns1.google.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> google.de @ns1.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42438
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.de.                     IN      A

;; ANSWER SECTION:
google.de.              300     IN      A       172.217.18.99


Von: Dedan Irungu <dedanirungu at gmail.com<mailto:dedanirungu at gmail.com>>
Gesendet: Dienstag, 19. Januar 2021 10:51
An: Markus Ehrlicher <Markus.Ehrlicher at komsa.de<mailto:Markus.Ehrlicher at komsa.de>>
Betreff: Re: [Pdns-users] Powerdns server is not passing Authority parameter

When I perform a dig the section on Authority is zero.

dig @85.10.203.183<http://85.10.203.183> gifsitebuilder.com<http://gifsitebuilder.com> A -p 53

   ; <<>> DiG 9.16.1-Ubuntu <<>> @85.10.203.183<http://85.10.203.183> gifsitebuilder.com<http://gifsitebuilder.com> A -p 53
   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31345
   ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
   ;; WARNING: recursion requested but not available

Also dns checker was returning as not authoritative.

https://mxtoolbox.com/SuperTool.aspx?action=dns%3aessyfortunes.com&run=toolpage



On Tue, Jan 19, 2021 at 12:40 PM Markus Ehrlicher via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:
Hello,

where do you get the information from your dig-answer, that the server is not authoritative?

Best regards,
Markus


Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com<mailto:pdns-users-bounces at mailman.powerdns.com>> Im Auftrag von frank+pdns--- via Pdns-users
Gesendet: Dienstag, 19. Januar 2021 10:21
An: Dedan Irungu <dedanirungu at gmail.com<mailto:dedanirungu at gmail.com>>
Cc: pdns-users-ml <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Betreff: Re: [Pdns-users] Powerdns server is not passing Authority parameter

Hi,

Could you share the configuration of the PDNS Auth server please?

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be<http://Kiwazo.be>

On 19 Jan 2021, at 10:08, Dedan Irungu via Pdns-users <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>> wrote:

I have made the changes request as soon below. The server does not serve authoritative results.

    setLocal('85.10.203.183')
    setACL({'0.0.0.0/0<http://0.0.0.0/0>', '::/0'}) -- Allow all IPs access

    newServer({address='85.10.203.183:5300<http://85.10.203.183:5300/>', pool='auth'})
    newServer({address='85.10.203.183:5301<http://85.10.203.183:5301/>', pool='recursor'})

    recursive_ips = newNMG()
    recursive_ips:addMask('127.0.0.1/8<http://127.0.0.1/8>') -- These network masks are the ones from allow-recursion in the Authoritative Server

    addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
    addAction(AllRule(), PoolAction('auth'))



I have tried to target powerdns directly via port 5300 but the result is the same. Any dig performed on port 5300 should be authoritative but in this case it is not.

dig @85.10.203.183<http://85.10.203.183/> gifsitebuilder.com<http://gifsitebuilder.com/> A -p 5300




On Tue, Jan 19, 2021 at 11:51 AM Brian Candler <b.candler at pobox.com<mailto:b.candler at pobox.com>> wrote:
On 19/01/2021 08:40, Dedan Irungu via Pdns-users wrote:
     recursive_ips:addMask('0.0.0.0/0<http://0.0.0.0/0>') -- These network masks are the ones from allow-recursion in the Authoritative Server

     addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
These two lines together say: "for incoming queries from *any* IP addresses: send them to the recursor".
Try changing the first one to something like:
    recursive_ips:addMask('192.168.0.0/16<http://0.0.0.0/0>')   -- netblock containing your local clients
Then queries from 192.168.x.x will go to the recursor, whereas queries from any *other* addresses will go to the authoritative server.
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be<http://Kiwazo.be>



_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com<mailto:Pdns-users at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210119/2856849f/attachment-0001.htm>

More information about the Pdns-users mailing list