Re: [Pdns-users] Two sqlite backends, only one getting queried
On 17.10.2018 17.09, LordEidi wrote: > On 17.10.18 14:34, bert hubert wrote: >> On Wed, Oct 17, 2018 at 01:52:19PM +0200, LordEidi wrote: >>> PowerDNS starts and runs without an error. But when queried I only get >>> answers to records which are in the first sqlite DB. The content of the >>> second DB is completely ignored. No error in the logs. There is also no zone >>> info when using the cli tool to check the status of pdns. >> Can you show your configuration, without editing? > Not really w/o editing. But here you go: > > pdns.local.conf > > # > launch=gsqlite3:first,gsqlite3:second > > # Database location > gsqlite3-first-database=/home/test/first.sqlite3 > gsqlite3-first-dnssec=off > > gsqlite3-second-database=/home/test/second.sqlite3 > gsqlite3-second-dnssec=off > > Both sqlite databases contain full structure, as well as records in > domains and records tables. In domains I tested both, MASTER and NATIVE > types. > > >> Additionally, check if you have a . SOA in your first database. Once >> PowerDNS finds an applicable SOA in a database, it will not study secondary >> ones. > That is a good hint which kills one of my use cases. One use case would > have been to have a core database and have the dyndns service only > access the second database. > > I take it that this is non sqlite specific behaviour. If I had two BIND > zonefiles or a mixtures of backends, that would be the same? > > As a hint, I would have loved to read that in the doc re backends. :) > > >>> Any hints what's the problem? Is the Debian package somewhat old and this is >>> a known bug which was fixed in a newer PowerDNS version? Or is there some >>> trick when using multiple sqlite backends? >> We have done some work to make it better. https://repo.powerdns.com has >> packages you can use to test. > Good idea. > > What would you recommend for production? Your package or the debian > projects'. > >> In general, it will work as long as there is no overlap in zones between the >> two backends. > Again, this is non sqlite specific, this is a rule in general? > > Thanks for your help. > > Cheers, > Eidi It is not possible to keep zones split into multiple backends. This applies to all backends. If you want to have a dyndns database, delegate something like 'dyn.example.com' from 'example.com' and host the dyn domain in the other backend. Aki ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor to Respond Authoritatively for all Queries
On 17/10/2018 17:58, Asanka Gunasekara wrote: Now, my question is, is there a way for me to serve two different addresses for records depending on the interface the request came from? This way I might be able to reply with private IPs for internal requests and a different IP for external requests. You could have two different auth servers: one with the internal view, one with the external. On your recursor you woud forward the domain to the internal auth server. I'm afraid I don't know if there's a better way than that with PowerDNS. I strongly avoid split DNS because of all the problems it causes. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor to Respond Authoritatively for all Queries
Hi Brian, Thanks for taking the time to explain this to me. Yes, this server hosts other public domains and I agree what I have done is wrong. Now, my question is, is there a way for me to serve two different addresses for records depending on the interface the request came from? This way I might be able to reply with private IPs for internal requests and a different IP for external requests. On Wed, 17 Oct 2018, 16:57 Brian Candler, mailto:b.cand...@pobox.com]> wrote: On 17/10/2018 12:19, Asanka Gunasekara wrote: The authoritative server has a private zone. Authoritative server should respond/answer for queries to this private domain if they originated from a select list of IP addresses. And authoritative server should respond/answer for queries for all other domains normally. When you say "all other domains", do you mean your authoritative server is hosting authoritative information for some public domains as well? Or only the private domain. The reason for forwarding all requests to the Authoritative server is due to the fact that this combo server should not be a public resolver/recursor. Authoritative servers are not resolvers. So if you are hosting public domains, the server needs to be on a public IP address and answer on port 53. If you are *only* hosting private domains, then the combination you have shown (resolver on port 53, authoritative on port 5300) will work. The resolver should *only* forward the private domains to the authoritative server. Indeed, this server can sit on a private IP address if you like. Since the authoritative server is not available from the outside world, and is not on the standard port 5300, an external DNS tester service will not work. Sending *authoritative* queries to a *recursor* is wrong. Regards, Brian. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Two sqlite backends, only one getting queried
On 17.10.18 14:34, bert hubert wrote: > On Wed, Oct 17, 2018 at 01:52:19PM +0200, LordEidi wrote: >> PowerDNS starts and runs without an error. But when queried I only get >> answers to records which are in the first sqlite DB. The content of the >> second DB is completely ignored. No error in the logs. There is also no zone >> info when using the cli tool to check the status of pdns. > > Can you show your configuration, without editing? Not really w/o editing. But here you go: pdns.local.conf # launch=gsqlite3:first,gsqlite3:second # Database location gsqlite3-first-database=/home/test/first.sqlite3 gsqlite3-first-dnssec=off gsqlite3-second-database=/home/test/second.sqlite3 gsqlite3-second-dnssec=off Both sqlite databases contain full structure, as well as records in domains and records tables. In domains I tested both, MASTER and NATIVE types. > Additionally, check if you have a . SOA in your first database. Once > PowerDNS finds an applicable SOA in a database, it will not study secondary > ones. That is a good hint which kills one of my use cases. One use case would have been to have a core database and have the dyndns service only access the second database. I take it that this is non sqlite specific behaviour. If I had two BIND zonefiles or a mixtures of backends, that would be the same? As a hint, I would have loved to read that in the doc re backends. :) >> Any hints what's the problem? Is the Debian package somewhat old and this is >> a known bug which was fixed in a newer PowerDNS version? Or is there some >> trick when using multiple sqlite backends? > > We have done some work to make it better. https://repo.powerdns.com has > packages you can use to test. Good idea. What would you recommend for production? Your package or the debian projects'. > In general, it will work as long as there is no overlap in zones between the > two backends. Again, this is non sqlite specific, this is a rule in general? Thanks for your help. Cheers, Eidi ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Two sqlite backends, only one getting queried
On Wed, Oct 17, 2018 at 01:52:19PM +0200, LordEidi wrote: > PowerDNS starts and runs without an error. But when queried I only get > answers to records which are in the first sqlite DB. The content of the > second DB is completely ignored. No error in the logs. There is also no zone > info when using the cli tool to check the status of pdns. Can you show your configuration, without editing? Additionally, check if you have a . SOA in your first database. Once PowerDNS finds an applicable SOA in a database, it will not study secondary ones. > Any hints what's the problem? Is the Debian package somewhat old and this is > a known bug which was fixed in a newer PowerDNS version? Or is there some > trick when using multiple sqlite backends? We have done some work to make it better. https://repo.powerdns.com has packages you can use to test. In general, it will work as long as there is no overlap in zones between the two backends. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Two sqlite backends, only one getting queried
Hi list I am playing around with PowerDNS in version 4.0.3 (actually 4.0.3-1+deb9u2, Debian stable package). I configured two sqlite3 backends, correctly with separate config names and containing different zones as well as records. PowerDNS starts and runs without an error. But when queried I only get answers to records which are in the first sqlite DB. The content of the second DB is completely ignored. No error in the logs. There is also no zone info when using the cli tool to check the status of pdns. I read somewhere that the slite backend is somewhat unstable, especially when using multiple sqlite based backends. My search engine of choice wasn't able to find any other link to a helpful page. Any hints what's the problem? Is the Debian package somewhat old and this is a known bug which was fixed in a newer PowerDNS version? Or is there some trick when using multiple sqlite backends? Cheers, Eidi ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor to Respond Authoritatively for all Queries
On 17/10/2018 12:19, Asanka Gunasekara wrote: The authoritative server has a private zone. Authoritative server should respond/answer for queries to this private domain if they originated from a select list of IP addresses. And authoritative server should respond/answer for queries for all other domains normally. When you say "all other domains", do you mean your authoritative server is hosting authoritative information for some public domains as well? Or only the private domain. The reason for forwarding all requests to the Authoritative server is due to the fact that this combo server should not be a public resolver/recursor. Authoritative servers are not resolvers. So if you are hosting public domains, the server needs to be on a public IP address and answer on port 53. If you are *only* hosting private domains, then the combination you have shown (resolver on port 53, authoritative on port 5300) will work. The resolver should *only* forward the private domains to the authoritative server. Indeed, this server can sit on a private IP address if you like. Since the authoritative server is not available from the outside world, and is not on the standard port 5300, an external DNS tester service will not work. Sending *authoritative* queries to a *recursor* is wrong. Regards, Brian. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor to Respond Authoritatively for all Queries
Hi Brian, Thanks for the quick response. Let me try to explain why I am running this setup to give some information and possibly find a better alternative way. We have several resolvers/recursors installed for clients/systems use and they're working as intended. The authoritative server has a private zone. Authoritative server should respond/answer for queries to this private domain if they originated from a select list of IP addresses. And authoritative server should respond/answer for queries for all other domains normally. The reason for forwarding all requests to the Authoritative server is due to the fact that this combo server should not be a public resolver/recursor. Hope this gives more information to understand the setup. Thanks again for your help. Kind Regards, Asanka Gunasekara P: 1300 825 587 E: supp...@talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/] Postal Address: PO Box 24, Varsity Lakes QLD 4227 Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. On 17/10/2018 1:32:57 PM, Brian Candler wrote: On 17/10/2018 10:43, Asanka Gunasekara wrote: > The issue I currently have is that when I test the records via > intodns.com or some other DNS check servers they report back saying > lame servers. > > Under recursor.conf, I have the following two lines basically > forwarding all queries to the authoritative server. > forward-zones=.=127.0.0.1:5300 > forward-zones-recurse=.=127.0.0.1:5300 > > Is there a way to configure the recursor to answer authoritatively for > all queries? Say for example via Lua script with setAA() function perhaps? No - I'm afraid you can't do it this way. Your authoritative server must be bound to port 53 if it's accepting queries from the outside world. You options are: 1. Run your recursor and authoritative server bound to two different IP addresses (or in separate VMs or containers with their own IPs) or 2. Don't list your authoritative server in the NS records, and instead use it as a "hidden primary". That is, you have two or more additional nameservers on public IPs, which are listed in NS records, and they get their zone content from the hidden primary (either by a zone transfer from x.x.x.x:5300, or by database replication) Final note: please don't use forward-zones to forward all queries to an authoritative server, since it's not authoritative for the whole Internet. You should rarely need forward-zones at all: as long as the NS records for your domain point to your authoritative servers, the recursor will find them by itself. Forward-zones are normally used for private domains which can't be delegated (e.g. localhost, 168.192.in-addr.arpa) HTH, Brian. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor to Respond Authoritatively for all Queries
On 17/10/2018 10:43, Asanka Gunasekara wrote: The issue I currently have is that when I test the records via intodns.com or some other DNS check servers they report back saying lame servers. Under recursor.conf, I have the following two lines basically forwarding all queries to the authoritative server. forward-zones=.=127.0.0.1:5300 forward-zones-recurse=.=127.0.0.1:5300 Is there a way to configure the recursor to answer authoritatively for all queries? Say for example via Lua script with setAA() function perhaps? No - I'm afraid you can't do it this way. Your authoritative server must be bound to port 53 if it's accepting queries from the outside world. You options are: 1. Run your recursor and authoritative server bound to two different IP addresses (or in separate VMs or containers with their own IPs) or 2. Don't list your authoritative server in the NS records, and instead use it as a "hidden primary". That is, you have two or more additional nameservers on public IPs, which are listed in NS records, and they get their zone content from the hidden primary (either by a zone transfer from x.x.x.x:5300, or by database replication) Final note: please don't use forward-zones to forward all queries to an authoritative server, since it's not authoritative for the whole Internet. You should rarely need forward-zones at all: as long as the NS records for your domain point to your authoritative servers, the recursor will find them by itself. Forward-zones are normally used for private domains which can't be delegated (e.g. localhost, 168.192.in-addr.arpa) HTH, Brian. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Recursor to Respond Authoritatively for all Queries
Hi All, Appreciate if you can provide me with some insights on how to get this to work. I am currently using PDNS 4.1.X branch servers and have configure the auth server + recursor according to this setup under 1st scenario: https://doc.powerdns.com/authoritative/guides/recursion.html The issue I currently have is that when I test the records via intodns.com or some other DNS check servers they report back saying lame servers. Under recursor.conf, I have the following two lines basically forwarding all queries to the authoritative server. forward-zones=.=127.0.0.1:5300 forward-zones-recurse=.=127.0.0.1:5300 Is there a way to configure the recursor to answer authoritatively for all queries? Say for example via Lua script with setAA() function perhaps? Kind Regards, Asanka Gunasekara P: 1300 825 587 E: supp...@talkup.com.au [http://talkup.com.au/] | W: www.talkup.com.au [http://www.talkup.com.au/] Postal Address: PO Box 24, Varsity Lakes QLD 4227 Please consider the environment before printing this e-mail This email message and any attachments are confidential. If you are not the intended recipient, you are notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. If you have received this email in error, please notify us immediately by return email, or telephone 1300 825 587, and destroy the original message. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users