[Pdns-users] DNAME randomly failing on Linux clients
Adam Cecile
acecile at letz-it.lu
Wed Apr 6 09:04:50 UTC 2022
On 4/6/22 10:46, Adam Cecile wrote:
> On 4/6/22 10:44, Brian Candler wrote:
>> On 06/04/2022 09:36, Adam Cecile via Pdns-users wrote:
>>> Any idea what's going on here, I'm completely lost. I guess my DNAME
>>> usage is somehow incorrect but I don't understand why it's working
>>> intermittently (and always with pure DNS call using dig...)
>>
>> Just a thought, but does your system use systemd-resolved? (Clue:
>> /etc/resolv.conf points to nameserver 127.0.0.53). For example, it
>> may treat ".local" differently, given that domain is reserved for
>> multicast DNS (as dig output informs you); or there may be some
>> DNSSEC issue. "systemd-resolve --status" may give you some clue.
>>
>> Apart from that, I suggest you look at the raw queries and responses
>> on the wire, and see how this differs between using direct dig and
>> gethostbyname:
>>
>> tcpdump -i eth0 -nn -s0 -v port 53
>>
>> (replace "eth0" with whatever your external interace is)
>>
> Hello,
>
> No regular resolv.conf pointing to 127.0.0.1 (local DNSDist -> local
> PowerDNS), nsswitch mdns stuff is also removed.
>
Just find out something interesting, it works with PowerDNS recursor but
not DNSDist:
Recursor config:
local-address=0.0.0.0, ::
local-port=53
forward-zones=domain.internal=127.0.0.1:5300
forward-zones+=in-addr.arpa=127.0.0.1:5300
forward-zones+=domain.local=127.0.0.1:5300
forward-zones+=another.domain=127.0.0.1:5300
forward-zones+=another.domain2=127.0.0.1:5300
forward-zones+=another.domain3=127.0.0.1:5300
forward-zones+=another.domain4=127.0.0.1:5300
forward-zones-recurse=.=10.10.10.10
serve-rfc1918=no
loglevel=6
quiet=no
lua-config-file=/etc/powerdns/local-protobuf-forwarder-recursor.lua
DNSDist config:
setSecurityPollSuffix("")
addLocal('0.0.0.0:53', {reusePort=true})
newServer({address="127.0.0.1:5300", pool="authoritative"})
newServer({address="10.10.10.10:53", pool="recursor"})
setACL({'127.0.0.0/8'})
addACL('10.1.0.0/16')
addACL('192.168.69.33/27')
addAction(AndRule({OrRule({OpcodeRule(DNSOpcode.Notify),
OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR),
QTypeRule(DNSQType.IXFR)}), NotRule(makeRule({"127.0.0.1/8",
"10.x.x.x/32", "10.x.x.x/32", "10.x.x.x/32"}))}),
RCodeAction(dnsdist.REFUSED))
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
RCodeAction(DNSRCode.REFUSED))
addAction({'in-addr.arpa'}, PoolAction("authoritative"))
addAction({'domain.local'}, PoolAction("authoritative"))
addAction({'domain.internal'}, PoolAction("authoritative"))
addAction({'another.domain'}, PoolAction("authoritative"))
addAction({'another.domain2'}, PoolAction("authoritative"))
addAction({'another.domain3'}, PoolAction("authoritative"))
addAction({'another.domain4'}, PoolAction("authoritative"))
addAction(AllRule(), PoolAction('recursor'))
rl = newRemoteLogger("127.0.0.1:50001")
addAction(AllRule(),RemoteLogAction(rl))
Any idea ? I can definitely make TCPDumps at some point but I'm not sure
to able to understand them ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220406/fce3808c/attachment-0001.htm>
More information about the Pdns-users
mailing list