[Pdns-users] pdns-recursor zone-forward block and allow lists
Jan Gardian
jan.gardian at redamp.io
Tue Apr 30 07:23:09 UTC 2024
Hello,
I am using PowerDNS Recursor 5.0.3 and I am trying to use forward all
zones towards dns0 which block malicious domains and return NXDOMAIN.
Unfortunately for some domains I would like to use different forwarders
than dns0 and get normal dns answer(e.g. forwarders 8.8.8.8:53).
I tried to configure forward-zones and add zone to use 8.8.8.8 instead
of dns0 unfortunatelly it always respond with NXDOMAIN or SERFFAIL.
My configuration:
recursor.yml:
"
incoming:
allow_from:
- 192.168.0.0/24
listen:
- 192.168.0.100
pdns_distributes_queries: true
logging:
loglevel: 3
quiet: true
recordcache:
max_ttl: 86400
recursor:
config_dir: /etc/powerdns
forward_zones_file: /etc/powerdns/zones.yml
hint_file: /usr/share/dns/root.hints
include_dir: /etc/powerdns/recursor.d
lua_config_file: /etc/powerdns/recursor.lua
"
zones.yml:
"
- zone: 'liveaqest.live'
forwarders:
- 8.8.8.8:53
recurse: true
- zone: '.'
forwarders:
- 193.110.81.0:53
- 185.253.5.0:53
"
recursor.lua:
"
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
"
When I try `dig liveaqest.live @192.168.0.100` I get:
"
; <<>> DiG 9.18.24 <<>> liveaqest.live @192.168.0.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65094
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveaqest.live. IN A
;; Query time: 39 msec
;; SERVER: 192.168.0.100#53(192.168.0.100) (UDP)
;; WHEN: Tue Apr 23 17:31:22 CEST 2024
;; MSG SIZE rcvd: 43
"
And I can see in tcpdump that pdns-recursor got correct answer from
google dns but it looks like it got something from dns0 dns as well and
returned servfail. This one domain is only example and when tested for
multiple domains that are blocked by dns0 and not by google it always
behaved like this. Also domains that got first CNAME and then A record.
tcpdump:
"
17:31:22.071802 IP 192.168.0.101.41941 > pdns-recursor.domain: 65094+
[1au] A? liveaqest.live. (55)
17:31:22.072588 IP pdns-recursor.55092 > dns.google.domain: 5457+% [1au]
A? liveaqest.live. (43)
17:31:22.090703 IP dns.google.domain > pdns-recursor.55092: 5457 2/0/1 A
188.114.97.3, A 188.114.96.3 (75)
17:31:22.091020 IP pdns-recursor.52908 > dns0.eu.domain: 55841 [1au] DS?
live. (33)
17:31:22.095823 IP dns0.eu.domain > pdns-recursor.52908: 55841$ 0/14/1 (530)
17:31:22.096001 IP pdns-recursor.25826 > dns0.eu.domain: 28404 [1au] DS?
live. (33)
17:31:22.099646 IP pdns-recursor.34244 > 10.35.21.1.domain: 26987+ PTR?
101.0.164.192.in-addr.arpa. (42)
17:31:22.100761 IP dns0.eu.domain > pdns-recursor.25826: 28404$ 0/14/1 (530)
17:31:22.101142 IP pdns-recursor.domain > 192.168.0.101.41941: 65094
ServFail 0/0/1 (43)
"
Is it possible to use forward-zones as allow list and block list
together? I thought that it is going from top to botton of this
zones.yml file and if found match it use those forwarders. Not both of
them together.
Is there way for this to make it happen with pdns-recursor settings or
some custom lua script?
Thank you for any help.
*Jan Gardian*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20240430/efc20b51/attachment.htm>
More information about the Pdns-users
mailing list