[Pdns-users] [Fwd: Re: DiG: Hopefully Final Thoughts..]

stancs3 Sun, 19 Feb 2017 16:39:45 -0800

Sorry meant to reply all ....


-------- Forwarded Message --------
From: stancs3 <[email protected]>
To: Brian Candler <[email protected]>
Subject: Re: [Pdns-users] DiG: Hopefully Final Thoughts..
Date: Sun, 19 Feb 2017 17:37:33 -0700

After a bunch of testing etc:

The reverse now works; like you indicated it's just another zone; once
I got that digested, I forwarded it from the recursor and it works.

I have attached the remaining thing I cannot resolve (no pun).

1. The test above the ===== line is:

Recursor listening on port 53, forwarding to auth server listening on
port 5300.

Dig of NS replies with no Additional section.
Dig of ns1 replies with the A record.



2. The test below the ===== line is:

No recursor, auth server listening on port 53.

Dig of NS replies with Additional section showing the A records for
both NSs.


> 
> > 
> > Why does only a dig NS directly to the auth server show the NS A
records?

> 
> > 
> > And/or is this expected behavior, and just be happy I got this far?

Stan


On Fri, 2017-02-17 at 08:15 +0000, Brian Candler wrote:
> 
> On 17/02/2017 06:45, stancs3 wrote:
> > 
> > 
> > Reverse doesn't work in this config, so I figure on giving up on
> > recursor.
> What do you mean by "reverse doesn't work"? Can you give a specific 
> example of what you did, what you saw, and what you expected to see?
> 
> Reverse is just another domain (under in-addr.arpa), no different to
> any 
> other.
> > 
> > 
> > I can either use my router's recursor, or perhaps set up a pdns-
> > recursor on a different VM to keep it clean. Wouldn't that be the
> > same/better than the router's?
> Most routers' built-in DNS is pretty poor - little more than a
> caching 
> forwarder to an upstream DNS (like dnsmasq), so having your own 
> pdns-recursor is likely to be much better.
> 
> If you want your authoritative DNS to be visible to the outside
> world 
> for real delegation, then it needs to listen on port 53. If you want 
> your recursive DNS to be usable by local clients, then it also needs
> to 
> listen on port 53, since most clients can't be (easily) configured
> to 
> send their DNS queries to a different port.
> 
> So, to run both auth and recursive, you need to assign two IP
> addresses. 
> Those can either be two different VMs (maximum separation), two 
> different containers, or even two different IPs in the same machine, 
> where the pns-auth and pdns-recursor processes are configured to bind
> to 
> (listen on) a different individual IP address.
> 
> You could try fancy tricks with dns-dist in front, but personally
> I'd 
> just go for the two VMs or two containers.
> 
> Don't forget redundancy. For authoritative DNS you'll want another 
> nameserver on a completely different backbone (see RFC2182). For
> client 
> redundancy, two local recursors is what you want.
> 
> HTH,
> 
> Brian.


>> The following are dig to recursor on port 53, which forwards to auth server 
>> on port 5300:


buddy@place:~$ dig stuf.example.com @192.168.1.10

; <<>> DiG 9.10.3-P4-Ubuntu <<>> stuf.example.com @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48144
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;stuf.example.com.              IN      A

;; AUTHORITY SECTION:
stuf.example.com.       563     IN      SOA     ns1.stuf.example.com. 
hostmaster.stuf.example.com. 2017021901 28800 7200 604800 86400

;; Query time: 2 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Feb 19 17:11:03 MST 2017
;; MSG SIZE  rcvd: 90

buddy@place:~$ dig ns stuf.example.com @192.168.1.10

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns stuf.example.com @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16983
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;stuf.example.com.              IN      NS

;; ANSWER SECTION:
stuf.example.com.       83385   IN      NS      ns1.stuf.example.com.
stuf.example.com.       83385   IN      NS      ns2.stuf.example.com.

;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Feb 19 17:11:20 MST 2017
;; MSG SIZE  rcvd: 78

buddy@place:~$ dig ns1.stuf.example.com @192.168.1.10

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns1.stuf.example.com @192.168.1.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60273
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.stuf.example.com.  IN      A

;; ANSWER SECTION:
ns1.stuf.example.com. 83358 IN  A       192.168.1.10

;; Query time: 3 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sun Feb 19 17:11:47 MST 2017
;; MSG SIZE  rcvd: 59

buddy@place:~$ 


===========================================================================================

The following are dig directly to the same auth server as above, on port 53: 
(i.e. the recursor is not used):


buddy@place:~$ dig stuf.example.com @192.168.1.11

; <<>> DiG 9.10.3-P4-Ubuntu <<>> stuf.example.com @192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53955
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;stuf.example.com.              IN      A

;; AUTHORITY SECTION:
stuf.example.com.       86400   IN      SOA     ns1.stuf.example.com. 
hostmaster.stuf.example.com. 2017021901 28800 7200 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Sun Feb 19 17:12:49 MST 2017
;; MSG SIZE  rcvd: 101

buddy@place:~$ dig ns stuf.example.com @192.168.1.11

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns stuf.example.com @192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9155
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;stuf.example.com.              IN      NS

;; ANSWER SECTION:
stuf.example.com.       86400   IN      NS      ns2.stuf.example.com.
stuf.example.com.       86400   IN      NS      ns1.stuf.example.com.

;; ADDITIONAL SECTION:
ns2.stuf.example.com. 86400 IN  A       192.168.1.11       << the A records,
ns1.stuf.example.com. 86400 IN  A       192.168.1.10       << not shown is test 
above =====

;; Query time: 4 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Sun Feb 19 17:12:59 MST 2017
;; MSG SIZE  rcvd: 121

buddy@place:~$ dig ns1.stuf.example.com @192.168.1.11

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns1.stuf.example.com @192.168.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51366
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;ns1.stuf.example.com.  IN      A

;; ANSWER SECTION:
ns1.stuf.example.com. 86400 IN  A       192.168.1.10

;; Query time: 3 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Sun Feb 19 17:13:16 MST 2017
;; MSG SIZE  rcvd: 70

_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] [Fwd: Re: DiG: Hopefully Final Thoughts..]

Reply via email to