[Pdns-users] Request for Help with PowerDNS + Recursor Configuration for Final Year Project

frank at kiwazo.be frank at kiwazo.be
Wed May 7 14:26:02 UTC 2025 

> On 7 May 2025, at 16:19, Nacho Oppo <nachooppo64 at gmail.com> wrote:
> 
> Hi, Frank 
> 
> 
> I believe I may not have explained the scenario clearly in my previous messages. Let me try to clarify it with a simplified example, which might better illustrate the situation:
> 
> I have a server A with IP address dirip-A. When this server connects to servidor1.dominio.com <http://servidor1.dominio.com/>, it must resolve to a specific point-to-point IP: diripservidor1-serverA.
> 
> I also have a server B with IP address dirip-B. When this one connects to servidor1.dominio.com <http://servidor1.dominio.com/>, it must resolve to a different IP: diripservidor1-serverB.
> 

Yes, Pdns-auth with LUA records (in MySQL or other) are a good solution for this. That's not the issue.

> So, depending on the source of the DNS query, the same hostname (servidor1.dominio.com <http://servidor1.dominio.com/>) must resolve to a different IP address. This is exactly the kind of logic that LUA records in PowerDNS can handle, and this part I have working as expected.
> 
> However, the client also has another public server: servidorpublico.dominio.com <http://servidorpublico.dominio.com/>, and this one must be resolved via an external DNS resolver (for example, Google DNS at 8.8.8.8), as it is not managed internally.
> 
> What I’m struggling with is making the full combination work:
> 
> Using LUA records for selected domains (like servidor1.dominio.com <http://servidor1.dominio.com/>),
> 
> And falling back to an external resolver for public domains (like servidorpublico.dominio.com <http://servidorpublico.dominio.com/>) when no local data is found.
> 

Key is that either dnsdist (best) or pdns-rec (second best) will need to know which names are to be resolved by pdns-auth. 

Solve that, you've solved it. But don't try things like "have pdns-auth do resolving" or "intercept the nxdomain from auth and send elsewhere" or "have pdns-rec be auth".

Frank



> Best Regards
> Nacho
> 
> El mié, 7 may 2025 a las 16:07, <frank at kiwazo.be <mailto:frank at kiwazo.be>> escribió:
>> Hi Nacho,
>> 
>> How "static" is the list of domains which need to resolve locally? Updated sub-second? Once every minute? Once every hour?
>> 
>> I would not use pdns-recursor at all. I would let dnsdist be the first point of entry, with 2 pools: a "auth" pool and a resolver pool.
>> 
>> Add the pdns-auth (with MySQL and Lua records) to the auth pool. Have pdns-auth ONLY serve the special records, with the lua handling.
>> 
>> Add 8.8.8.8 (and maybe 1.1.1.1/9.9.9.9 <http://1.1.1.1/9.9.9.9> as well) to the resolver pool. Tell dnsdist to read a set of "special" domains from a text file. Tell it that IF (and only IF) the qname is part of the domains which is on the "special" list, it should send the query to the auth pool. In every other case (normal resolving), send it to the resolving pool (8.8.8.8 and others).
>> 
>> To be VERY VERY VERY VERY clear: what you proposed in the first mail is very very very very bad practice. If the scoring of the project is done by somebody who has any real life experience with dns, you'd fail. We don't want you to fail. So with the advise I and others on the list have given you, please go back to the drawing board and rethink your design.
>> 
>> Frank
>> 
>>> On 7 May 2025, at 16:04, Nacho Oppo via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote:
>>> 
>>> Thanks  William,
>>> 
>>> I answer you between the lines
>>> 
>>> 1. This is bad practice.
>>> 
>>> It may be a bad practice, but it is the chosen one and it is the one that I hope will give me the approval.
>>> 
>>> 
>>> 2. The goal of an assignment can’t be to have someone else do it for you. What’s the point?
>>> 
>>> I am clear that it has to be this way, I need to understand it in order to explain it.
>>> 
>>> 
>>> 3. What have you tried? “It doesn’t work” doesn’t indicate any effort.
>>> 
>>> I've installed and uninstalled the software several times, run separate tests on the DNS server, and it resolves the names I put in the database. However, the moment I try to add another DNS server to resolv.conf, it stops responding to local DNS servers and goes online to look for them. 
>>> When I installed the Recursor, things got even worse because, despite not having another DNS server in resolv.conf or the config, the service resolved names for me, and I don't really understand how it did it.
>>> 
>>> 4. Should a Computer Science assignment really be this high-level?
>>> 
>>> They proposed it to me and I thought it wouldn't be as complicated as it's turning out to be.
>>> 
>>> Nacho.
>>> 
>>> El mié, 7 may 2025 a las 10:27, William Edwards via Pdns-users (<pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>>) escribió:
>>>> 1. This is bad practice. 
>>>> 2. The goal of an assignment can’t be to have someone else do it for you. What’s the point?
>>>> 3. What have you tried? “It doesn’t work” doesn’t indicate any effort. 
>>>> 4. Should a Computer Science assignment really be this high-level?
>>>> 
>>>> William Edwards
>>>> 
>>>> > Op 7 mei 2025 om 10:04 heeft Nacho Oppo via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> het volgende geschreven:
>>>> > 
>>>> > 
>>>> > Dear "PowerDNS MailGroup",
>>>> > 
>>>> > My name is Nacho, and I am a university student currently studying Computer Science. I’m working on my final-year project, which involves setting up a system that allows resolution of personal names using PowerDNS.
>>>> > 
>>>> > The goal is to configure PowerDNS so that it first checks an A record in a MySQL backend, and if the record is not found o if database does´not respond, it should forward the query to an external DNS server, such as Google’s (8.8.8.8).
>>>> > 
>>>> > From what I’ve read, this setup used to be possible directly with PowerDNS, but now it seems that the use of a separate PowerDNS Recursor in front is required. I’ve tried configuring it myself, but unfortunately, I haven’t been able to make it work properly.
>>>> > 
>>>> > If someone could share a working configuration for both PowerDNS Authoritative and PowerDNS Recursor (for the current versions), or point me to a complete example, I would be truly grateful.
>>>> > 
>>>> > Thank you in advance for your time and help.
>>>> > 
>>>> > Best regards,
>>>> > Nacho
>>>> > 
>>>> > _______________________________________________
>>>> > Pdns-users mailing list
>>>> > Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>>> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>> 
>>>> _______________________________________________
>>>> Pdns-users mailing list
>>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250507/f66bae26/attachment-0001.htm>

More information about the Pdns-users mailing list