[Pdns-users] Help with "simple" config please

Slacker T slackert at gmail.com
Mon Oct 31 15:04:31 UTC 2022

I'm working though upgrading from 4.4 to the latest version. Tackling
issues one at a time. I'm trying to get usable log info on who I'm getting
queries from. I've never used ECS/EDNS before, I think it's what I need to
use to get what I want. I use dnsdist in front of both my recursor and auth
server all on the name server, same for my secondary. Please look at my
config and tell me what you think. I understand that the logs are showing
what's actually happening, as the query is from I'd just like to
be able to get the originator ip too if possible.

Another thing, I'm not sure zone updates are being accepted by the
secondary. Is there anything different you have to do that changed since
4.4? It's like it sees the update from the loopback rather than from the
primary. Not sure if it's related to any of the ECS/EDNS options.



> openbsd-7.2
> dnsdist-1.7.2
> powerdns-4.6.3
> powerdns-recursor-4.7.3

Log showing dnsdist IP rather than originating client:

> pdns_recursor[67506]: 3 [1230/1] question for '
> chat-e2ee-mini.c10r.facebook.com|A' from


> setuid=_powerdns

> gsqlite3-database=/var/db/pdns/pdns.sqlite3
> gsqlite3-dnssec
> allow-axfr-ips=
> also-notify=
> daemon=yes
> edns-subnet-processing=yes
> guardian=yes
> local-address=
> loglevel=5
> primary=yes
> secondary=no


> setuid=_pdns_recursor
> setgid=_pdns_recursor
> chroot=/var/pdns_recursor
> allow-from=,,,,
>,, ::1/128, fc00::/7, fe80::/10
> daemon=yes
> disable-syslog=no
> dnssec-log-bogus=yes
> forward-zones=mydomain.com=
> forward-zones+=sub.mydomain.com=
> forward-zones+=sub.otherdomain.org=
> local-address=
> log-common-errors=yes
> log-rpz-changes=yes
> logging-facility=0
> loglevel=4
> quiet=no


> setLocal('')
> addLocal('')
> setACL({'', '::/0'}) -- Allow all IPs access

> setECSSourcePrefixV4(32)
> setECSSourcePrefixV6(128)
> newServer({address='', pool='auth', useClientSubnet=true})
> newServer({address='', pool='recursor',
> useClientSubnet=true})
> recursive_ips = newNMG()
> recursive_ips:addMask('') -- These network masks are the ones
> from allow-recursion in the Authoritative Server
> recursive_ips:addMask('')
> recursive_ips:addMask('')
> recursive_ips:addMask('')
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221031/efe409f3/attachment.htm>

More information about the Pdns-users mailing list