[Pdns-users] stupid recursor question
Brian Candler
b.candler at pobox.com
Tue Dec 6 17:26:47 UTC 2022
On 06/12/2022 17:06, Curtis Maurand via Pdns-users wrote:
> On the authoritative server I host a domain that I'll call domain.tld
> as the example.
It really helps if you give the real domain, since many problems can be
diagnosed easily by querying the auth nameserver. See
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
Is this a real domain, i.e. does your authoritative server have a public
IP address and NS records pointing at it? I am guessing that it is,
since you say it's dnssec signed. Is your auth server behind any sort
of NAT?
> All seems to be well, until I query the local recursor which returns
> nothing. It answers, but doesn't return a response.
Define "nothing": NOERROR with no records, NXDOMAIN, SERVFAIL, something
else?
Can your recursor reach the authoritative server on its public IP address?
That is, from the shell of the recursor, can you query the auth server
like this:
dig +norec @x.x.x.x domain.tld. a
> I've tried forward-zones = domain.tld=192.168.100.30; and that
> doesn't seem to work.
You can run tcpdump to see whether the recursor is sending queries to
192.168.100.30, and if so, what response it gets.
tcpdump -i eth0 -nn -s0 -v port 53 and host 192.168.100.30
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221206/a68cc68e/attachment-0001.htm>
More information about the Pdns-users
mailing list