[Pdns-users] questions of understanding pdns-recursor with hosts-file

Markus Ehrlicher via Pdns-users Tue, 01 Sep 2020 02:52:58 -0700

Hello together,

I'am a little confused about the "export-etc-hosts"-switch. I use latest 
pdns-recursor in version 4.3.3 on Ubuntu 20.04.
Because of problems with firewall, NAT and external IPs, we have to redirect 
some (not all) DNS-Entries to internal IPs instead of public available IPs. For 
this purpose I installed this extra server, to insert the needed entries in the 
hosts-file and activated "export-etc-hosts" in pdns-recursor.conf.


Now my problem: if the root domain (in my example benchmaxx.de) is included in 
this hosts-file, the recursor seems to feel authoritative for the whole domain 
and trys to answers all other requests for subdomains from benchmaxx.de (in my 
example test.benchmaxx.de) with NXDOMAIN.
Here are the logs for this behavior:

Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] question for 
'test.benchmaxx.de|A' from 10.10.2.26:45074
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Wants DNSSEC 
processing, auth data in query for A
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for 
CNAME cache hit of 'test.benchmaxx.de|CNAME'
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for 
DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No CNAME or 
DNAME cache hit of 'test.benchmaxx.de' found
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No cache hit 
for 'test.benchmaxx.de|A', trying to find an appropriate NS record
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: initial 
validation status for test.benchmaxx.de is Indeterminate
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Cache 
consultations done, have 1 NS to contact
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Domain is 
out-of-band
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: auth storage 
has data, zone='benchmaxx.de'
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: accept 
answer 'benchmaxx.de|SOA|localhost. root. 1 604800 86400 2419200 604800' from 
'benchmaxx.de' nameservers? ttl=7200, place=2 YES! - This answer was retrieved 
from the local auth store.
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: determining 
status after receiving this packet
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: got negative 
caching indication for name 'test.benchmaxx.de' (accept=1), newtarget='(empty)'
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: 
status=NXDOMAIN, we are done (have negative SOA)
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: failed 
(res=3)
Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] answer to question 
'test.benchmaxx.de|A': 0 answers, 0 additional, took 0 packets, 0 netw ms, 0 
tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3

If I comment out benchmaxx.de in the hosts-file, all is fine and the request 
for test.benchmaxx.de is answered correctly:

Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] question for 
'test.benchmaxx.de|A' from 10.10.2.26:49295
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC 
processing, auth data in query for A
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for 
CNAME cache hit of 'test.benchmaxx.de|CNAME'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for 
DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or 
DNAME cache hit of 'test.benchmaxx.de' found
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit 
for 'test.benchmaxx.de|A', trying to find an appropriate NS record
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial 
validation status for test.benchmaxx.de is Indeterminate
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache 
consultations done, have 1 NS to contact
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has 
hardcoded nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: 
Nameservers: +217.119.211.10:53(2.11ms), +217.119.214.10:53(2.93ms)
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' 
NS (empty) to: 217.119.211.10, 217.119.214.10
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 
217.119.211.10:53, asking 'test.benchmaxx.de|A'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 
answers from (empty) (217.119.211.10), rcode=0 (No Error), aa=0, in 13ms
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept 
answer 'test.benchmaxx.de|A|2.2.2.2' from '.' nameservers? ttl=3600, place=1 
YES! - This answer was received from a server we forward to.
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer 
'.' from '.' nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: : got initial zone status 
Indeterminate for record test.benchmaxx.de|A
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining 
status after receiving this packet
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: answer is 
in: resolved to '2.2.2.2|A'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=got 
results, this level of recursion done
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: validation 
status is Indeterminate
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] answer to question 
'test.benchmaxx.de|A': 1 answers, 0 additional, took 1 packets, 13.069 netw ms, 
13.317 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] question for 
'test.benchmaxx.de|AAAA' from 10.10.2.26:33182
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC 
processing, auth data in query for AAAA
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for 
CNAME cache hit of 'test.benchmaxx.de|CNAME'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for 
DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or 
DNAME cache hit of 'test.benchmaxx.de' found
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit 
for 'test.benchmaxx.de|AAAA', trying to find an appropriate NS record
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial 
validation status for test.benchmaxx.de is Indeterminate
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache 
consultations done, have 1 NS to contact
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has 
hardcoded nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: 
Nameservers: +217.119.214.10:53(2.93ms), +217.119.211.10:53(13.01ms)
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' 
NS (empty) to: 217.119.214.10, 217.119.211.10
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 
217.119.214.10:53, asking 'test.benchmaxx.de|AAAA'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 
answers from (empty) (217.119.214.10), rcode=0 (No Error), aa=0, in 11ms
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept 
answer 'benchmaxx.de|SOA|ns3.komsa.net. root.ns3.komsa.net. 2020090101 10800 
3600 604800 3600' from '.' nameservers? ttl=3600, place=2 YES! - This answer 
was received from a server we forward to.
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer 
'.' from '.' nameservers
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining 
status after receiving this packet
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: got negative 
caching indication for 'test.benchmaxx.de|AAAA'
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: 
status=noerror, other types may exist, but we are done (have negative SOA)
Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] answer to question 
'test.benchmaxx.de|AAAA': 0 answers, 0 additional, took 1 packets, 11.155 netw 
ms, 11.244 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0

So my question is: is this behavior normal and intended?

Thanks and best regards,
Markus

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] questions of understanding pdns-recursor with hosts-file

Reply via email to