[Pdns-users] failover on NXDOMAIN
Pavel Prostin
compek at gmail.com
Fri Feb 7 11:51:46 UTC 2025
thank you for your response. The case is more complex. There are two
strictly separated DNS servers, one for internal and one for external
hosts. For security reasons, external DNS resolution is generally
prohibited. Only selected servers (such as the proxy) can access the
external DNS in a separate network security zone. Therefore, it is not just
classic split horizon, because a hostname is (or should be) available only
in one of the zones, not in both.
The solution I’m trying to find is to build a separate server for this
single proxy server that can resolve a hostname without knowing which zone
is responsible for it. Please check if the following approach will work:
Configure RPZ with internal records (*.example.com pointing to internal
IPs).
When an internal hostname is queried, RPZ overrides the normal resolution
and provides the internal answer.
If a record is not in RPZ, the DNS resolver forwards the request to 8.8.8.8.
External records (*.example.com not in RPZ) resolve normally via Google DNS.
Should I maintain RPZ records on this auxiliary server for internal hosts
manually? My understanding is that RPZ only overrides responses and does
not forward queries for unknown records.
Thank you for your assistance.
On Fri, Feb 7, 2025 at 11:54 AM Brian Candler <b.candler at pobox.com> wrote:
> On 07/02/2025 10:31, Pavel Prostin via Pdns-users wrote:
>
>
> I’m trying to configure the PowerDNS recursor to failover on NXDOMAIN.
> Here is the scenario:
>
> There are two DNS zones: internal and external. The problem is that *.
> example.com can either be used for an internal or an external host, and
> thus the record can exist on any DNS server.
>
> Possible workaround: A client tries to resolve the hostname using the
> primary (internal) DNS first. If the internal DNS server has no record or
> cannot resolve the host because it is external and returns NXDOMAIN
> (non-existent domain), a second request is then made to the alternate
> (external) DNS server (this is not the secondary DNS fallback) to resolve
> the domain/host.
>
> I understand that this approach is not RFC-compliant and is not the
> recommended solution (e.g., using .internal.example.com for internal
> hosts). However, I attempted to implement it using a custom LUA script (see
> below), which unfortunately does not work as intended.
>
> Is the intended solution feasible and scalable?
>
> I don't think it is. However, if you are forced to use split DNS in your
> environment (meaning that foo.example.com resolves differently for
> internal and external users), I can offer a better alternative.
>
> On your internal recursor, use a Response Policy Zone (RPZ) to set the
> responses which should be seen for *.example.com for internal users.
> Then any names which are not listed here will automatically fall through to
> the external domain.
>
> I've done this successfully with bind9. I've never tried it with
> pdns-recursor but it appears to be fully supported:
>
> https://doc.powerdns.com/recursor/lua-config/rpz.html
>
> HTH,
>
> Brian.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250207/a970a9d5/attachment-0001.htm>
More information about the Pdns-users
mailing list