Hi pdns community
I've got an odd issue where some clients do not get a response from
either of my 2 recursors. Both are v5.1.4 deployed via docker with
fairly std configs. Generally the logs will indicate if something is not
in the allowed-from list but these clients don't show there. For all
intents and purposes, the recursors work normally and well for all my
other clients.
Design:
client ---> firewall --- ipsec vpn --- firewall ---> recursor ---> internet
Troubleshooting:
- check for blocks due to allow_from (nothing listed for these clients)
- check local firewall rules (nothing special or different for specific
clients)
- tcpdump on the recursor hosts show queries hitting those hosts
- pcaps on both firewalls show good traffic
- the start of the logs show the ACL for allow_from is correct
PDNS-rec Config:
------------------------
//
/######### SECTION incoming #########
incoming:
listen:
- 0.0.0.0
- '::'
allow_from:
- x.x.x.x/y
- etc.
port: 53
proxy_protocol_from: [a.a.a.a/b]
use_incoming_edns_subnet: true
max_tcp_clients: 128/
//
PDNS-rec docker config:
---------------------------------
//
/---
version: '2.0'
services:
recursor:
image: powerdns/pdns-recursor-51:latest
restart: always
ports:
- "53:53"
- "53:53/udp"
- "8082:8082"
logging:
driver: "syslog"
volumes:
- ./recursor.yml:/etc/powerdns/recursor.yml
- ./named.root.txt:/etc/named.root.txt
- ./proxy-map.lua:/etc/proxy-map.lua/
//
PDNS-rec logs:
---------------------
recursor_1 | Apr 29 13:53:49 PowerDNS Recursor 5.1.4 (C) PowerDNS.COM BV
recursor_1 | Apr 29 13:53:49 Using 64-bits mode. Built using gcc 10.2.1
20210110 on Apr 8 2025 10:17:24 by root@localhost.
recursor_1 | Apr 29 13:53:49 PowerDNS comes with ABSOLUTELY NO
WARRANTY. This is free software, and you are welcome to redistribute it
according to the terms of the GPL version 2.
recursor_1 | Apr 29 13:53:49 msg="Processing main YAML settings"
subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121"
path="/etc/powerdns/recursor.yml"
recursor_1 | Apr 29 13:53:49 msg="YAML config found and processed"
subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121"
configname="/etc/powerdns/recursor.yml"
recursor_1 | Apr 29 13:53:49 msg="Enabling IPv4 transport for outgoing
queries" subsystem="config" level="0" prio="Notice" tid="0"
ts="1745934829.123"
recursor_1 | Apr 29 13:53:49 msg="Setting access control"
subsystem="config" level="0" prio="Info" tid="0" ts="1745934829.125"
acl="allow-from" addresses="x.x.x.x/y a.a.a.a/b etc."
recursor_1 | Apr 29 13:53:49 msg="Will not send queries to"
subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.132"
addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16
192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8
192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4
::/96 ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
PDNS-rec host pcap:
------------------------------
tcpdump -i any -v 'host <client-ip>'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
size 262144 bytes
14:01:49.419703 IP (tos 0x0, ttl 124, id 45946, offset 0, flags [none],
proto UDP (17), length 83)
<client-hostname>.65424 > <recursor-hostname>.domain: 16579+ [1au]
A? canary.officeapps.live.com. (55)
14:01:49.419758 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none],
proto UDP (17), length 83)
<client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A?
canary.officeapps.live.com. (55)
14:01:49.419766 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none],
proto UDP (17), length 83)
<client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A?
canary.officeapps.live.com. (55)
Any ideas on what could be wrong or what I'm missing here is appreciated.
Regards
Robby
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
