[Pdns-users] stupid recursor question

Brian Candler b.candler at pobox.com
Tue Dec 6 17:26:47 UTC 2022

On 06/12/2022 17:06, Curtis Maurand via Pdns-users wrote:
> On the authoritative server I host a domain that I'll call domain.tld 
> as the example.

It really helps if you give the real domain, since many problems can be 
diagnosed easily by querying the auth nameserver. See


Is this a real domain, i.e. does your authoritative server have a public 
IP address and NS records pointing at it?  I am guessing that it is, 
since you say it's dnssec signed.  Is your auth server behind any sort 
of NAT?

> All seems to be well, until I query the local recursor which returns 
> nothing.  It answers, but doesn't return a response.

Define "nothing": NOERROR with no records, NXDOMAIN, SERVFAIL, something 

Can your recursor reach the authoritative server on its public IP address?

That is, from the shell of the recursor, can you query the auth server 
like this:

dig +norec @x.x.x.x domain.tld. a

>  I've tried forward-zones = domain.tld=; and that 
> doesn't seem to work.

You can run tcpdump to see whether the recursor is sending queries to, and if so, what response it gets.

tcpdump -i eth0 -nn -s0 -v port 53 and host

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221206/a68cc68e/attachment-0001.htm>

More information about the Pdns-users mailing list