[Pdns-users] Recursor 5.2.0 with RD=0 forwarded queries

Olli Attila attiolli at gmail.com
Fri Apr 4 18:25:04 UTC 2025 

Hello all,



After upgrading from dns-recursor 4.8.x -> 5.2.0 I noticed this happened:



Recursor 4.9.x changelog (4.9.0-alpha1 Improvements):

"Change the way RD=0 forwarded queries are handled.
References: pull request 12425 <https://github.com/PowerDNS/pdns/pull/12425>
"

Related PR: https://github.com/PowerDNS/pdns/pull/12594

I am using a setup in a custom environment where dnsdist is taking in
queries and routing them through a pdns recursor which is forwarding the
queries to pdns authoritative dns server. The recursor in between is doing
forwarding to auth server and is responsible of mangling the returned DNS
record data that the authoritative server returns. This so called
"mangling" is done because on some cases I need to alter the NAPTR response
depending the orginal source of the query. A sort of dns view if one would
like to use that kind of name for this behaviour.

Client side DNS component (which behaviour I can't unfortunately change) is
always sending the query with RD bit set to "0" towards dnsdist ip and
therefore after dnsdist has routed the query to the recursor, the 5.2.0
recursor is now refusing to forward the queries to authoritative servers
(REFUSED is returned). This was working on the pdns recursor 4.8.x. Now
that I need that mangling in between dnsdist and auth servers (at least for
the time being), what would be the options to achieve this after the 5.2.0
recursor upgrade on this kind of setup?

Observations / thoughts on different options:

   - Dnsdist does not seem to support the same kind of postresolve lua like
   the recursor component (=Altering returned NAPTR content with regexp. There
   is an example at the end of my mail). I have not succeeded in making it
   behave the same way. Also the dirty trick of making the dnsdist to force RD
   from 0 to 1 is off the table I think (for allowing the recursor to recurse
   to auth servers after dnsdist). This would be kind of a hack if even
   possible?
   - Im under the impression that Pdns authoritative server (what I use
   here as auth) is not either capable of doing this kind of mangling for the
   returned NAPTR records. Please correct me if I'm wrong with this.
   - On recursor config there is this new parameter "allow-no-rd" which was
   introduced in 5.0.0 but to use this in an effective way I should be having
   all the auth server data in the recursors internal cache and then after the
   response, do the mangling as before with the lua magic? Having to sync the
   data from auth servers  to the recursors cache seems quite weird but if
   someone has thoughts on this, Im all ears.



For the mangling of the NAPTR I'm doing this kind of thing on the recursor
now (which I would hope to preserve somehow):

 function postresolve(dq)

    local records = dq:getRecords()

    local modified = false

    for k, v in pairs(records) do

        if v.type == pdns.NAPTR and string.find(v:getContent(), "foo.bar")
then

            local originalContent = v:getContent()

            local one, two, three = string.match(v:getContent(),
"(.*)@(.*)bar(.*)")

            if one and two and three then

                v:changeContent(one .. "@newfoo.bar" .. three)

                modified = true

            end

            originalContent = v:getContent()

        end

    end

    if modified then

        dq:setRecords(records)

    end

    return true

End




Cheers,

OA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250404/229d34b8/attachment.htm>

More information about the Pdns-users mailing list