[Pdns-users] failover on NXDOMAIN

[Brian Candler]

On 07/02/2025 10:31, Pavel Prostin via Pdns-users wrote:
>
> I’m trying to configure the PowerDNS recursor to failover on NXDOMAIN. 
> Here is the scenario:
>
> There are two DNS zones: internal and external. The problem is that 
> *.example.com <http://example.com> can either be used for an internal 
> or an external host, and thus the record can exist on any DNS server.
>
> Possible workaround: A client tries to resolve the hostname using the 
> primary (internal) DNS first. If the internal DNS server has no record 
> or cannot resolve the host because it is external and returns NXDOMAIN 
> (non-existent domain), a second request is then made to the alternate 
> (external) DNS server (this is not the secondary DNS fallback) to 
> resolve the domain/host.
>
> I understand that this approach is not RFC-compliant and is not the 
> recommended solution (e.g., using .internal.example.com 
> <http://internal.example.com> for internal hosts). However, I 
> attempted to implement it using a custom LUA script (see below), which 
> unfortunately does not work as intended.
>
> Is the intended solution feasible and scalable?

I don't think it is. However, if you are forced to use split DNS in your 
environment (meaning that foo.example.com resolves differently for 
internal and external users), I can offer a better alternative.

On your internal recursor, use a Response Policy Zone (RPZ) to set the 
responses which should be seen for *.example.com for internal users.  
Then any names which are not listed here will automatically fall through 
to the external domain.

I've done this successfully with bind9. I've never tried it with 
pdns-recursor but it appears to be fully supported:

https://doc.powerdns.com/recursor/lua-config/rpz.html

HTH,

Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250207/5859b3af/attachment.htm>