Re: [Pdns-users] Delegation of subdomain
Hi Jakob, We no longer support the 'recursor=' setting because it is very tricky. You may want to read https://doc.powerdns.com/authoritative/guides/recursion.html which offers help on how to achieve your goals in other ways. Good luck! Bert On Wed, Feb 07, 2018 at 11:54:13AM +0100, Jakob Lenfers wrote: > Hi, > > I'm trying to delegate a subdomain to another DNS server, in my case a > samba4 AD. My pdns runs as authorative server on 0.0.0.0:53, the > recursor runs on 127.0.0.1:5300 and is included via > 'recursor=127.0.0.1:5300' in pdns' config. > > I have the following entries set: > | bss.example.com. 3600 IN NS barva.example.com. > | barva.example.com. 3600 IN A 10.20.30.40 > > And in the recursor config I've set: > "forward-zones=bss.example.com=10.20.30.40" > > But only when I query the recursor directly (example below), I'm getting > the expected answer. When I query the master on :53, I only get a > pointer to the new authorative NS. > > | # dig -t SRV _gc._tcp.bss.example.com @localhost > | > | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t SRV _gc._tcp.bss.example.com > @localhost > | ;; global options: +cmd > | ;; Got answer: > | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49362 > | ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 > | ;; WARNING: recursion requested but not available > | > | ;; OPT PSEUDOSECTION: > | ; EDNS: version: 0, flags:; udp: 1680 > | ;; QUESTION SECTION: > | ;_gc._tcp.bss.example.com.IN SRV > | > | ;; AUTHORITY SECTION: > | bss.example.com. 3600 IN NS barva.example.com. > | > | ;; ADDITIONAL SECTION: > | barva.example.com. 3600 IN A 10.20.30.40 > > > | # dig -p 5300 -t SRV _gc._tcp.bss.example.com @localhost > | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -p 5300 -t SRV > _gc._tcp.bss.example.com @localhost > | ;; global options: +cmd > | ;; Got answer: > | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43772 > | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > | > | ;; OPT PSEUDOSECTION: > | ; EDNS: version: 0, flags:; udp: 4096 > | ;; QUESTION SECTION: > | ;_gc._tcp.bss.example.com.IN SRV > | > | ;; ANSWER SECTION: > | _gc._tcp.bss.example.com. 26 IN SRV 0 100 3268 barva.bss.example.com. > > Any ideas how to solve this? > > Thanks in advance, > Jakob > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Delegation of subdomain
Hi, I'm trying to delegate a subdomain to another DNS server, in my case a samba4 AD. My pdns runs as authorative server on 0.0.0.0:53, the recursor runs on 127.0.0.1:5300 and is included via 'recursor=127.0.0.1:5300' in pdns' config. I have the following entries set: | bss.example.com. 3600 IN NS barva.example.com. | barva.example.com. 3600 IN A 10.20.30.40 And in the recursor config I've set: "forward-zones=bss.example.com=10.20.30.40" But only when I query the recursor directly (example below), I'm getting the expected answer. When I query the master on :53, I only get a pointer to the new authorative NS. | # dig -t SRV _gc._tcp.bss.example.com @localhost | | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t SRV _gc._tcp.bss.example.com @localhost | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49362 | ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 | ;; WARNING: recursion requested but not available | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 1680 | ;; QUESTION SECTION: | ;_gc._tcp.bss.example.com.IN SRV | | ;; AUTHORITY SECTION: | bss.example.com. 3600 IN NS barva.example.com. | | ;; ADDITIONAL SECTION: | barva.example.com. 3600 IN A 10.20.30.40 | # dig -p 5300 -t SRV _gc._tcp.bss.example.com @localhost | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -p 5300 -t SRV _gc._tcp.bss.example.com @localhost | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43772 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 4096 | ;; QUESTION SECTION: | ;_gc._tcp.bss.example.com.IN SRV | | ;; ANSWER SECTION: | _gc._tcp.bss.example.com. 26 IN SRV 0 100 3268 barva.bss.example.com. Any ideas how to solve this? Thanks in advance, Jakob ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] RE ignoring non-query opcode 6
On 07/02/2018 08:41, bert hubert wrote: no one knows why the A-10 is sending queries with this opcode A quick Google search found this: https://nettools.net.berkeley.edu/tools/docs/a10/thunder/ACOS_4_1_0/pdf/A10_4.1.0_SLB_Jun13_2016.pdf The *default* healthcheck is to send garbage UDP packets (p553): "Layer 4 UDP – Every 5 seconds, the ACOS device sends a packet with a valid UDP header and a garbage payload to the UDP port. The port passes the health check if it either does not reply, or replies with any type of packet except an ICMP Error message. " But if you configure it to use the DNS healthcheck, it should send a valid query (p558): "ACOS device sends a lookup request for the specified domain name or server IP address. By default, recursion is allowed. ... Optionally, you can disable recursion." This should clearly be opcode 0. I think the OP should take a tcpdump of the healthcheck packets. If they have configured DNS healthchecking, with a domain name to query, then they can submit the tcpdump as evidence of a bug. If they are relying on the default UDP healthchecking then it won't be a valid DNS packet in the first place. Cheers, Brian. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] RE ignoring non-query opcode 6
On Tue, Feb 06, 2018 at 07:37:16PM -0800, Jake Hansen wrote: > Hello kind gents, Hello Jake! We have women here too, by the way! I think so, at least. > Someone turned me on to pdns_recursor and i'm trying to deploy it. I have > a pair of A-10 Load balancers front ending and now the logs are spamming > > Ignoring non-query opcode 6 from xx.xx.xx.xx on server socket! I checked, we indeed log this unconditionally, which is a bit sad. > I was googling around and found that sometime ago, a patch was added to > drop non zero opcodes. I suspect that the opcodes are some sort of keep > alive check by the load balancers. Should I be worried about this? Well, I think you should be worried that your A-10 is somehow sending nonsense DNS packets to check liveness. Opcode 6 is not defined. https://www.iana.org/assignments/dns-parameters/dns-parameters.xml#dns-parameters-5 We'll make sure you can mute this warning with 'log-common-errors=no' in the future. For now, if this warning upsets you, you may want to ponder either putting dnsdist in front of your recursor to filter out opcode=6 queries, or (and this is likely better), replace the whole A-10 load balancer with dnsdist. Sorry we can't be more helpful, I checked, no one knows why the A-10 is sending queries with this opcode, or how you can stop it. Might want to ask A-10. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users