[Pdns-users] Request for Help with PowerDNS + Recursor Configuration for Final Year Project

[Brian Candler]

On 07/05/2025 09:04, Nacho Oppo via Pdns-users wrote:
> The goal is to configure PowerDNS so that it first checks an A record 
> in a MySQL backend, and if the record is not found o if database 
> does´not respond, it should forward the query to an external DNS 
> server, such as Google’s (8.8.8.8).

Firstly, be clear: are you talking about PDNS Recursor or Authoritative 
Server? Those are two completely different roles in the DNS, and 
PowerDNS provides two separate pieces of software.

If what you're trying to provide is a hidden view of a domain, which is 
different from what the Internet at large is seeing, then you would 
implement it on whatever local recursor the client is using. Probably 
the best way to do that is with a Response Policy Zone (RPZ) to override 
specific names:

https://www.isc.org/rpz/
https://blog.powerdns.com/2016/06/28/response-policy-zone-support-in-powerdns-recursor
https://doc.powerdns.com/recursor/lua-config/rpz.html

This provides exactly what you ask for: synthesise a result if the 
answer is given by the RPZ, and fall back to normal recursive behaviour 
if not.

As far as I can tell, the RPZ feature in PDNS recursor can't query mysql 
directly, but the RPZ can be retrieved using AXFR/IXFR, so in principle 
you could set up a separate PDNS authoritative server with Mysql backend 
to serve the RPZ.

Otherwise: if you were thinking of doing this query manipulation on an 
authoritative server: don't. An authoritative server should never 
forward a query to a recursor, with the possible exception of expanding 
ALIAS records (which aren't real RR's anyway). Think about it: if your 
server were properly authoritative for a domain, the Google recursor on 
8.8.8.8 could end up sending the query back to the same server.