[Pdns-users] No response from pdns-recursor for some clients

Otto Moerbeek otto at drijf.net
Thu May 8 14:25:45 UTC 2025 

The logs (in your original post) are redacted. So we cannot correlate
the log lines with your config. If posting unredacted logs is not
possible we cannot help you here.

	-Otto

On Thu, May 08, 2025 at 03:00:37PM +0100, Robby Pedrica wrote:

> 
> 
> On 2025/04/30 12:41, Otto Moerbeek wrote:
> > On Tue, Apr 29, 2025 at 03:18:44PM +0100, Robby Pedrica via Pdns-users wrote:
> > 
> > > Hi pdns community
> > > 
> > > I've got an odd issue where some clients do not get a response from either
> > > of my 2 recursors. Both are v5.1.4 deployed via docker with fairly std
> > > configs. Generally the logs will indicate if something is not in the
> > > allowed-from list but these clients don't show there. For all intents and
> > > purposes, the recursors work normally and well for all my other clients.
> > > 
> > Since you left out specifics, it's not possible for us to see what is
> > going wrong. Please read
> > https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open
> > and try again with no information edited except secrets like
> > passwords.
> > 
> > 	-Otto
> Hi Otto
> 
> 1 - thank you very much for your reply
> 
> 2 - my apologies for the delayed response however I've been travelling the
> last week
> 
> 3 - I intimately understand the requirement to provide as much information
> as possible as I provide support myself; in this case, I spent a significant
> amount of time troubleshooting and collecting information on the issue - |I
> thought I had provided everything relevant but it's clear from your reply
> that that is not the case; however what is not clear, is what I left out
> (and the provided link does not assist with specifics either).
> 
> I'm going to make the assumption that you are referring to the recursor.yml
> configuration file, and therefore provide that here in full (minus secrets):
> 
> ///
> ######### SECTION incoming #########
> incoming:
>   listen:
>   - 0.0.0.0
>   - '::'
>   allow_from:
> #    - 0.0.0.0/0
>   - 127.0.0.1
>   - 172.0.0.0/8 # docker networks
>   - 10.10.10.0/24 # client subnet
> 
> ##### The load factor used when PowerDNS is distributing queries to worker
> threads
> #   distribution_load_factor: 0.0
> ##### Launch this number of distributor threads, distributing queries to
> other threads
> #   distributor_threads: 0
>   port: 53
>   proxy_protocol_from: [105.55.55.33/32]
>   use_incoming_edns_subnet: true
> ##### Maximum number of requests handled concurrently per TCP connection
> #   max_concurrent_requests_per_tcp_connection: 10
> ##### Maximum number of simultaneous TCP clients
>   max_tcp_clients: 128
> 
> ######### SECTION logging #########
> logging:
>   common_errors: true
>   disable_syslog: false
> #   facility: ''
>   loglevel: 6
> ##### Suppress logging of questions and answers
>   quiet: false
> 
> ######### SECTION nod #########
> nod:
> ##### Log newly observed domains.
>   log: true
> ##### Track newly observed domains (i.e. never seen before).
> #   tracking: false
> 
> ######### SECTION outgoing #########
> outgoing:
>   edns_subnet_allow_list: !override
>   - 0.0.0.0/0.
>   max_busy_dot_probes: 50
> 
> ######### SECTION packetcache #########
> packetcache:
> ##### Disable packetcache
> #   disable: false
> 
> ######### SECTION recursor #########
> recursor:
>   daemon: false
>   etc_hosts_file: /etc/hosts
>   hint_file: /etc/named.root.txt
>   lua_config_file: /etc/proxy-map.lua
> ##### Launch this number of threads listening for and processing TCP queries
> #   tcp_threads: 1
> ##### Launch this number of threads
>   threads: 4
> ##### string reported on version.pdns or version.bind
> #   version_string: '*runtime determined*'
>   write_pid: true
> 
> ######### SECTION webservice #########
> webservice:
>   address: 0.0.0.0
>   allow_from: !override
>   - 10.10.11.0/24
>   api_key: ---
> ##### Amount of logging in the webserver (none, normal, detailed)
>   loglevel: normal
>   password: ---
>   port: 8082
>   webserver: true
> 
> ######### SECTION dnssec #########
> dnssec:
>   log_bogus: false
>   max_dnskeys: 2
>   validation: process
> 
> ######### SECTION ecs #########
> ecs:
> ##### List of client netmasks for which EDNS Client Subnet will be added
>   add_for:
>   - 0.0.0.0/0
>   - ::/0
> ///
> 
> The related proxy-map.lua:
> 
> ///
> -- protobufServer("10.10.11.50:514" , "maxQueuedEntries=100",
> "logQueries=true", "logResponses=true", "logMappedFrom=false")
> protobufServer("10.10.11.50:514")
> 
> -- AE
> addProxyMapping("10.10.10.0/24", "41.55.55.33")
> ///
> 
> I can't provide less sanitised information in the pcap and logs as that
> would expose sensitive information (which I think is reasonably sanitised).
> But let me know on this point in any case.
> 
> If you are however referring to something else, then I would appreciate you
> specifying the additional information that you would require to assist me in
> collecting that info.
> 
> Appreciate your time
> 
> Robby
> 
> > 
> > > Design:
> > > 
> > > client ---> firewall --- ipsec vpn --- firewall ---> recursor ---> internet
> > > 
> > > Troubleshooting:
> > > 
> > > - check for blocks due to allow_from (nothing listed for these clients)
> > > - check local firewall rules (nothing special or different for specific
> > > clients)
> > > - tcpdump on the recursor hosts show queries hitting those hosts
> > > - pcaps on both firewalls show good traffic
> > > - the start of the logs show the ACL for allow_from is correct
> > > 
> > > PDNS-rec Config:
> > > ------------------------
> > > 
> > > //
> > > /######### SECTION incoming #########
> > > incoming:
> > >    listen:
> > >    - 0.0.0.0
> > >    - '::'
> > >    allow_from:
> > >    - x.x.x.x/y
> > >    - etc.
> > > 
> > >    port: 53
> > >    proxy_protocol_from: [a.a.a.a/b]
> > >    use_incoming_edns_subnet: true
> > >    max_tcp_clients: 128/
> > > //
> > > 
> > > 
> > > PDNS-rec docker config:
> > > ---------------------------------
> > > 
> > > //
> > > /---
> > > version: '2.0'
> > > services:
> > >    recursor:
> > >      image: powerdns/pdns-recursor-51:latest
> > >      restart: always
> > >      ports:
> > >        - "53:53"
> > >        - "53:53/udp"
> > >        - "8082:8082"
> > >      logging:
> > >        driver: "syslog"
> > >      volumes:
> > >        - ./recursor.yml:/etc/powerdns/recursor.yml
> > >        - ./named.root.txt:/etc/named.root.txt
> > >        - ./proxy-map.lua:/etc/proxy-map.lua/
> > > //
> > > 
> > > PDNS-rec logs:
> > > ---------------------
> > > 
> > > recursor_1  | Apr 29 13:53:49 PowerDNS Recursor 5.1.4 (C) PowerDNS.COM BV
> > > recursor_1  | Apr 29 13:53:49 Using 64-bits mode. Built using gcc 10.2.1
> > > 20210110 on Apr  8 2025 10:17:24 by root at localhost.
> > > recursor_1  | Apr 29 13:53:49 PowerDNS comes with ABSOLUTELY NO WARRANTY.
> > > This is free software, and you are welcome to redistribute it according to
> > > the terms of the GPL version 2.
> > > recursor_1  | Apr 29 13:53:49 msg="Processing main YAML settings"
> > > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121"
> > > path="/etc/powerdns/recursor.yml"
> > > recursor_1  | Apr 29 13:53:49 msg="YAML config found and processed"
> > > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121"
> > > configname="/etc/powerdns/recursor.yml"
> > > recursor_1  | Apr 29 13:53:49 msg="Enabling IPv4 transport for outgoing
> > > queries" subsystem="config" level="0" prio="Notice" tid="0"
> > > ts="1745934829.123"
> > > recursor_1  | Apr 29 13:53:49 msg="Setting access control"
> > > subsystem="config" level="0" prio="Info" tid="0" ts="1745934829.125"
> > > acl="allow-from" addresses="x.x.x.x/y a.a.a.a/b etc."
> > > recursor_1  | Apr 29 13:53:49 msg="Will not send queries to"
> > > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.132"
> > > addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16
> > > 192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8
> > > 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 ::/96
> > > ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
> > > 
> > > PDNS-rec host pcap:
> > > ------------------------------
> > > 
> > > tcpdump -i any -v 'host <client-ip>'
> > > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
> > > 262144 bytes
> > > 14:01:49.419703 IP (tos 0x0, ttl 124, id 45946, offset 0, flags [none],
> > > proto UDP (17), length 83)
> > >      <client-hostname>.65424 > <recursor-hostname>.domain: 16579+ [1au] A?
> > > canary.officeapps.live.com. (55)
> > > 14:01:49.419758 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none],
> > > proto UDP (17), length 83)
> > >      <client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A?
> > > canary.officeapps.live.com. (55)
> > > 14:01:49.419766 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none],
> > > proto UDP (17), length 83)
> > >      <client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A?
> > > canary.officeapps.live.com. (55)
> > > 
> > > Any ideas on what could be wrong or what I'm missing here is appreciated.
> > > 
> > > Regards
> > > 
> > > Robby
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>

More information about the Pdns-users mailing list