[Pdns-users] pdns-recursor zone-forward block and allow lists

Tue Apr 30 07:23:09 UTC 2024

Hello,

I am using PowerDNS Recursor 5.0.3 and I am trying to use forward all 
zones towards dns0 which block malicious domains and return NXDOMAIN. 
Unfortunately for some domains I would like to use different forwarders 
than dns0 and get normal dns answer(e.g. forwarders 8.8.8.8:53).

I tried to configure forward-zones and add zone to use 8.8.8.8 instead 
of dns0 unfortunatelly it always respond with NXDOMAIN or SERFFAIL.

My configuration:
recursor.yml:
"
incoming:
   allow_from:
   - 192.168.0.0/24
   listen:
   - 192.168.0.100
   pdns_distributes_queries: true
logging:
   loglevel: 3
   quiet: true
recordcache:
   max_ttl: 86400
recursor:
   config_dir: /etc/powerdns
   forward_zones_file: /etc/powerdns/zones.yml
   hint_file: /usr/share/dns/root.hints
   include_dir: /etc/powerdns/recursor.d
   lua_config_file: /etc/powerdns/recursor.lua
"

zones.yml:
"
- zone: 'liveaqest.live'
   forwarders:
   - 8.8.8.8:53
   recurse: true
- zone: '.'
   forwarders:
   - 193.110.81.0:53
   - 185.253.5.0:53
"

recursor.lua:
"
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
"

When I try `dig liveaqest.live @192.168.0.100` I get:
"
; <<>> DiG 9.18.24 <<>> liveaqest.live @192.168.0.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65094
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveaqest.live.            IN    A

;; Query time: 39 msec
;; SERVER: 192.168.0.100#53(192.168.0.100) (UDP)
;; WHEN: Tue Apr 23 17:31:22 CEST 2024
;; MSG SIZE  rcvd: 43
"

And I can see in tcpdump that pdns-recursor got correct answer from 
google dns but it looks like it got something from dns0 dns as well and 
returned servfail. This one domain is only example and when tested for 
multiple domains that are blocked by dns0 and not by google it always 
behaved like this. Also domains that got first CNAME and then A record.
tcpdump:
"
17:31:22.071802 IP 192.168.0.101.41941 > pdns-recursor.domain: 65094+ 
[1au] A? liveaqest.live. (55)
17:31:22.072588 IP pdns-recursor.55092 > dns.google.domain: 5457+% [1au] 
A? liveaqest.live. (43)
17:31:22.090703 IP dns.google.domain > pdns-recursor.55092: 5457 2/0/1 A 
188.114.97.3, A 188.114.96.3 (75)
17:31:22.091020 IP pdns-recursor.52908 > dns0.eu.domain: 55841 [1au] DS? 
live. (33)
17:31:22.095823 IP dns0.eu.domain > pdns-recursor.52908: 55841$ 0/14/1 (530)
17:31:22.096001 IP pdns-recursor.25826 > dns0.eu.domain: 28404 [1au] DS? 
live. (33)
17:31:22.099646 IP pdns-recursor.34244 > 10.35.21.1.domain: 26987+ PTR? 
101.0.164.192.in-addr.arpa. (42)
17:31:22.100761 IP dns0.eu.domain > pdns-recursor.25826: 28404$ 0/14/1 (530)
17:31:22.101142 IP pdns-recursor.domain > 192.168.0.101.41941: 65094 
ServFail 0/0/1 (43)
"

Is it possible to use forward-zones as allow list and block list 
together? I thought that it is going from top to botton of this 
zones.yml file and if found match it use those forwarders. Not both of 
them together.
Is there way for this to make it happen with pdns-recursor settings or 
some custom lua script?

Thank you for any help.

*Jan Gardian*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20240430/efc20b51/attachment.htm>