4

I have an PDNS recursor and authoritative servers setup as picture below suggests (DNS1). I have tried to setup a second DNS server in the same way the first is setup, but I am not getting any records on DNS2 from DNS1 (all I am getting is a "ignoring non-query opcode 4 from " in the DNS2 recursor log. dns setup

This is how my recursor.conf looks on DNS1

#recursor.conf

forward-zones-file=/etc/powerdns/forward.conf
forward-zones-recurse=.=<some ips>

local-port=53
local-address=<some ip>

This is how my pdns.conf looks on DNS1

#pdns.conf
default-soa-name=ns1.example.cz
allow-axfr-ips=<some ip>
daemon=yes
disable-axfr=no
local-address=127.0.0.1
local-port=53
master=yes
slave=no

launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=<powerdns_user>
gmysql-dbname=<powerdns_db>
gmysql-password=<powerdns_pass>
gmysql-dnssec=no

#gentoo specific - no ipv6 support
query-local-address6=

My question is - is AXFR transfer even possible under these conditions? (eg. does recursor block the record transfer?)

edit: I keep confusing "recursor"(correct) and "precursor"(wrong). sorry!

edit2: Based on Habbie's suggestion, would this make more sense?

dnsdist used for forwarding

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
GoodDog
  • 43
  • 1
    Perhaps this can shed some light : https://mailman.powerdns.com/pipermail/pdns-users/2007-October/004838.html – schaiba Aug 19 '16 at 08:17
  • That would suggest, that it isn't possible. The opcode 4 would have to be handed forward to powerdns authoritative behind the recursor, which it isn't - same as in my case. Can I therefore safely claim that this will not work? – GoodDog Aug 19 '16 at 08:22

1 Answers1

1

First of all, you should be aware that you cannot delegate domains to your recursors in this setup, even apart from the AXFR issue. If you intend to delegate domains, you will have to change your setup anyway.

The good news is that either way, dnsdist can fix your problems. Stick it in front, put auth and recursor both in the back, and use the functionality described at https://dnsdist.org/advanced/axfr.html to get the AXFRs to the auth server.

Shadur-don't-feed-the-AI
  • 31,260
Habbie
  • 126
  • 1
  • Thank you Habbie - I knew I must have been doing something terribly wrong. Just to make sure, You suggest using the dnsdist to forward (spit) queries according to zone (see the 2nd. picture above)...? – GoodDog Aug 22 '16 at 14:24
  • Yes, that makes sense. Alternatively you can do it based on the RD bit. – Habbie Aug 22 '16 at 19:11
  • But dnsdist has problem with receiving notifications on slave from master (which is also behind dnsdist) – eset Aug 29 '19 at 18:44