[Pdns-users] DNS Forwarding on Master/Slave Servers

Pieter Lexis pieter.lexis at powerdns.com
Fri May 7 08:05:34 UTC 2021


Hi Steven,

On 5/7/21 7:14 AM, Steven Garner via Pdns-users wrote:
> I have a noob question about DNS forwarding - just implemented pdns
> version 4.2.1 on three servers on separate networks, intending for one
> to be a master (primary) and the other two to be slaves (secondaries). 
> So far I love it, but I think I may be doing something wrong with DNS
> forwarding.

4.2 will be EOL in the coming month, see [1]. I recommend you upgrade to
4.4 from our repo[2] and consult the upgrade guide[3]. But this is not
the source of your problems :).

> I have records for some 383 domains in MySQL as a backend.
> 
> [...]
>> Also the master/slave state is configured on a per domain basis in the
> domains table with the type column set to either MASTER or SLAVE
> respectively. The slave has the master node IP addresses set for each
> domain in the master column in the domains table.
> 
> dig would seem to indicate that everything is working fine:
> 
> [...]
> 
> Yet other methods seem to indicate there may be problems:
> 
> [...]
> 2) When I test opensourceserver.io <http://opensourceserver.io> on
> https://www.site24x7.com/dns-lookup.html
> <https://www.site24x7.com/dns-lookup.html>, it states there is a
> "Possible DNS forwarding issue." for each server.

"Forwarding" is a bit of a mis-nomer here. Looking at the responses of
the servers, I see a REFUSED from 47.225.208.154, which might indicate
the zone is not transferred to this server. I can't get any response
from 207.177.51.156, which could be a firewall, or middlebox doing nasty
things.

For the server at 47.225.208.154, please check the logs (`grep`ing for
opensourceserver.io) and the output of `pdnsutil show-zone
opensourceserver.io` to see what is going on with the XFR.

For the server at 207.177.51.156, check the firewall(s), also on the
network path. And if PowerDNS is running at all :).

DNSVIZ [4] also reports that the glue records from .io do not match the
authoritave records in the zone. The .io nameserver sends 76.76.238.10
for all 3 nameservers, so you will need to update your glue for
starters. This can be done in you registrar control panel. But I suggest
you fix the issues above first.

Cheers,

Pieter

1 - https://doc.powerdns.com/authoritative/appendices/EOL.html
2 - https://repo.powerdns.com/
3 - https://doc.powerdns.com/authoritative/upgrading.html
4 - https://dnsviz.net/d/opensourceserver.io/YJTycg/dnssec/

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the Pdns-users mailing list