Re: [Pdns-users] stupid recursor question
You did not report back the results of the other 2 troubleshoot actions that Brian suggested (dig and tcpdump) These could hold clues to the cause of your problem. On Tue, 2022-12-06 at 14:33 -0500, Curtis Maurand via Pdns-users wrote: > OK, just did the upgrade and adjusted the tables accordingly. I > don't like the fact that the update clobbered the /etc/init.d/pdns > file. We don't all run distributions with systemd. Systemd is big > and buggy, not to mention the controtions one has to go through to > get things to work properly. My system is way more manageable without > it. More stable, too. I knew I needed to do upgrade, debian hasn't > upgraded the version in their repos. I added the powerdns repo to > the sources.list.d/pdns. I digress. I'm now running 4.7.2. It took > a few minutes to get the supermaster/superslave set up and working. > > Things are working from outside and pretty fast, too. It's internally > where things aren't working. the internal recursor is not resolving > anything that is hosted. wierd. > > --Curtis > > > > On 12/6/22 12:52, Brian Candler wrote: > > > > > On 06/12/2022 17:41, Curtis Maurand via Pdns-users wrote: > > > > > > > > You can use either xyonet.com or cybernexus.net > > And the pdns-auth server which you are referring to is > > ns1.xyonet.com or ns2.xyonet.com? Or is it neither of these, and > > is a hidden primary? > > FYI, ns2.xyonet.com is not responding at the moment. Also, ns1 is > > running PowerDNS Authoritative Server 4.4.1, which is end-of-life, > > so you ought to look at upgrading it. See > > https://repo.powerdns.com/ > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stupid recursor question
OK, just did the upgrade and adjusted the tables accordingly. I don't like the fact that the update clobbered the /etc/init.d/pdns file. We don't all run distributions with systemd. Systemd is big and buggy, not to mention the controtions one has to go through to get things to work properly. My system is way more manageable without it. More stable, too. I knew I needed to do upgrade, debian hasn't upgraded the version in their repos. I added the powerdns repo to the sources.list.d/pdns. I digress. I'm now running 4.7.2. It took a few minutes to get the supermaster/superslave set up and working. Things are working from outside and pretty fast, too. It's internally where things aren't working. the internal recursor is not resolving anything that is hosted. wierd. --Curtis On 12/6/22 12:52, Brian Candler wrote: On 06/12/2022 17:41, Curtis Maurand via Pdns-users wrote: You can use either xyonet.com or cybernexus.net And the pdns-auth server which you are referring to is ns1.xyonet.com or ns2.xyonet.com? Or is it neither of these, and is a hidden primary? FYI, ns2.xyonet.com is not responding at the moment. Also, ns1 is running PowerDNS Authoritative Server 4.4.1, which is end-of-life, so you ought to look at upgrading it. See https://repo.powerdns.com/ -- Curtis https://curtis.maurand.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stupid recursor question
On 06/12/2022 17:41, Curtis Maurand via Pdns-users wrote: You can use either xyonet.com or cybernexus.net And the pdns-auth server which you are referring to is ns1.xyonet.com or ns2.xyonet.com? Or is it neither of these, and is a hidden primary? FYI, ns2.xyonet.com is not responding at the moment. Also, ns1 is running PowerDNS Authoritative Server 4.4.1, which is end-of-life, so you ought to look at upgrading it. See https://repo.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stupid recursor question
You can use either xyonet.com or cybernexus.net On 12/6/22 12:26, Brian Candler wrote: On 06/12/2022 17:06, Curtis Maurand via Pdns-users wrote: On the authoritative server I host a domain that I'll call domain.tld as the example. It really helps if you give the real domain, since many problems can be diagnosed easily by querying the auth nameserver. See https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ Is this a real domain, i.e. does your authoritative server have a public IP address and NS records pointing at it? I am guessing that it is, since you say it's dnssec signed. Is your auth server behind any sort of NAT? All seems to be well, until I query the local recursor which returns nothing. It answers, but doesn't return a response. Define "nothing": NOERROR with no records, NXDOMAIN, SERVFAIL, something else? Can your recursor reach the authoritative server on its public IP address? That is, from the shell of the recursor, can you query the auth server like this: dig +norec @x.x.x.x domain.tld. a I've tried forward-zones = domain.tld=192.168.100.30; and that doesn't seem to work. You can run tcpdump to see whether the recursor is sending queries to 192.168.100.30, and if so, what response it gets. tcpdump -i eth0 -nn -s0 -v port 53 and host 192.168.100.30 -- Curtis https://curtis.maurand.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stupid recursor question
On 06/12/2022 17:06, Curtis Maurand via Pdns-users wrote: On the authoritative server I host a domain that I'll call domain.tld as the example. It really helps if you give the real domain, since many problems can be diagnosed easily by querying the auth nameserver. See https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ Is this a real domain, i.e. does your authoritative server have a public IP address and NS records pointing at it? I am guessing that it is, since you say it's dnssec signed. Is your auth server behind any sort of NAT? All seems to be well, until I query the local recursor which returns nothing. It answers, but doesn't return a response. Define "nothing": NOERROR with no records, NXDOMAIN, SERVFAIL, something else? Can your recursor reach the authoritative server on its public IP address? That is, from the shell of the recursor, can you query the auth server like this: dig +norec @x.x.x.x domain.tld. a I've tried forward-zones = domain.tld=192.168.100.30; and that doesn't seem to work. You can run tcpdump to see whether the recursor is sending queries to 192.168.100.30, and if so, what response it gets. tcpdump -i eth0 -nn -s0 -v port 53 and host 192.168.100.30 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] stupid recursor question
Hello, I've been a pdns user since, well, forever. I abandoned bind long ago. I currently have a set up where I run an authoritative server on a virtual machine and I run pdns-recursor on a separate virtual machine. On the authoritative server I host a domain that I'll call domain.tld as the example. It works fine. It returns all of the correct answers and the zone is signed and those answers come back correctly. queries to outside recursors such as 8.8.8.8 or 1.1.1.1 or 4.2.2.2, return appropriate responses. All seems to be well, until I query the local recursor which returns nothing. It answers, but doesn't return a response. The local networks are set up in the recursor.conf (allow-from=127.0.0.0/8, 192.168.100.0/24, 192.168.192.0/24, 192.168.100.0/24) querying a foreign domain such as ibm.com or microsoft.com works fine. It just seems to be my local recursor is finding nothing that I actually host. I've tried forward-zones = domain.tld=192.168.100.30; and that doesn't seem to work. Does anyone have any ideas? Thank in advance, Curtis -- Curtis https://curtis.maurand.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
Hello! icfd3.org and icdf3.org Looks like these are two different domain names. Kind regards, Sinisa "Sonny" Burina On Mon, Dec 5, 2022, 12:58 Tony Annese via Pdns-users < pdns-users@mailman.powerdns.com> wrote: > So PDNS is reporting these CNAMEs as errors/being out of zone > > > > root@nspower:~# pdnsutil check-zone icfd3.org > > Dec 05 09:42:24 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 > removed > > [Error] Record 'enterpriseenrollment.icdf3.org IN CNAME > enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is > out-of-zone. > > [Error] Record 'enterpriseregistration.icdf3.org IN CNAME > enterpriseregistration.windows.net' in zone 'icfd3.org' is out-of-zone. > > [Error] Record 'lyncdiscover.icdf3.org IN CNAME webdir.online.lync.com' > in zone 'icfd3.org' is out-of-zone. > > [Error] Record 'selector1._domainkey.icdf3.org IN CNAME > selector1-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone ' > icfd3.org' is out-of-zone. > > [Error] Record 'selector2._domainkey.icdf3.org IN CNAME > selector2-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone ' > icfd3.org' is out-of-zone. > > [Error] Record 'sip.icdf3.org IN CNAME sipdir.online.lync.com' in zone ' > icfd3.org' is out-of-zone. > > [Error] Record '_sip._tls.icdf3.org IN SRV 100 1 443 > sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. > > [Error] Record '_sipfederationtls._tcp.icdf3.org IN SRV 100 1 5061 > sipfed.online.lync.com' in zone 'icfd3.org' is out-of-zone. > > Checked 31 records of 'icfd3.org', 8 errors, 0 warnings. > > > > So how do I tell PDNS to allow out-of-zone CNAME (and SRV) records? > > > > > > *From: *Pdns-users on behalf of > Markus Ehrlicher via Pdns-users > *Date: *Monday, December 5, 2022 at 3:36 AM > *To: *'pdns-users@mailman.powerdns.com' > *Subject: *Re: [Pdns-users] CNAME Resoluion > > Hello, > > > > what does „pdnsutil check-zone icfd3.org“ on the Master say? > > > > best regards, > > Markus > > > > *Von:* Pdns-users *Im Auftrag > von *Tony Annese via Pdns-users > *Gesendet:* Montag, 5. Dezember 2022 12:20 > *An:* pdns-users@mailman.powerdns.com > *Betreff:* Re: [Pdns-users] CNAME Resoluion > > > > *Externe E-Mail* > > Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. > Auffällige E-Mails als Anhang bitte an virench...@komsa.de zur Prüfung > weiterleiten. > > > > > Those were wildcard entries for the whole domain icfd3.org. > > > > I’ve removed those and get the same behavior. It also doesn’t explain why > barracuda058130353572.icfd3.org does resolve. > > > > PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. > I just added testing.icfd3.org and it was pushed out to the 2 slaves but > the CNAME for sip.icfd3.org isn’t even being pushed out to the slaves. > > > > > > *From: *Brian Candler > *Date: *Sunday, December 4, 2022 at 11:20 PM > *To: *Tony Annese , > pdns-users@mailman.powerdns.com > *Subject: *Re: [Pdns-users] CNAME Resoluion > > On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: > > Here is the unobfuscated data. > > Thank you, because that now makes it possible to help you: > > $ dig +norec @ns.whidbey.net. sip.icfd3.org. any > ... > > ;; ANSWER SECTION: > sip.icfd3.org.3600INTXT"v=spf1 mx include: > ess.barracudanetworks.com include:spf.protection.outlook.com ~all" > sip.icfd3.org.3600INMX0 > d227914a.ess.barracudanetworks.com. > sip.icfd3.org.3600INMX10 > d227914b.ess.barracudanetworks.com. > > You cannot have other resource records alongside a CNAME. That's a > requirement of the DNS, not of Powerdns specifically. > > You should put A/ records there. Or if you want to avoid the > duplication of information, you can look into ALIAS records which do this > for you. > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users