Hello together, can anyone reproduce this problem or should I open a ticket on github?
Thanks and best regards, Markus Von: Markus Ehrlicher Gesendet: Dienstag, 1. September 2020 11:53 An: pdns-users@mailman.powerdns.com Betreff: questions of understanding pdns-recursor with hosts-file Hello together, I'am a little confused about the "export-etc-hosts"-switch. I use latest pdns-recursor in version 4.3.3 on Ubuntu 20.04. Because of problems with firewall, NAT and external IPs, we have to redirect some (not all) DNS-Entries to internal IPs instead of public available IPs. For this purpose I installed this extra server, to insert the needed entries in the hosts-file and activated "export-etc-hosts" in pdns-recursor.conf. Now my problem: if the root domain (in my example benchmaxx.de) is included in this hosts-file, the recursor seems to feel authoritative for the whole domain and trys to answers all other requests for subdomains from benchmaxx.de (in my example test.benchmaxx.de) with NXDOMAIN. Here are the logs for this behavior: Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] question for 'test.benchmaxx.de|A' from 10.10.2.26:45074 Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for A Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME' Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Domain is out-of-band Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: auth storage has data, zone='benchmaxx.de' Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: accept answer 'benchmaxx.de|SOA|localhost. root. 1 604800 86400 2419200 604800' from 'benchmaxx.de' nameservers? ttl=7200, place=2 YES! - This answer was retrieved from the local auth store. Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: determining status after receiving this packet Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: got negative caching indication for name 'test.benchmaxx.de' (accept=1), newtarget='(empty)' Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: status=NXDOMAIN, we are done (have negative SOA) Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: failed (res=3) Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] answer to question 'test.benchmaxx.de|A': 0 answers, 0 additional, took 0 packets, 0 netw ms, 0 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3 If I comment out benchmaxx.de in the hosts-file, all is fine and the request for test.benchmaxx.de is answered correctly: Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] question for 'test.benchmaxx.de|A' from 10.10.2.26:49295 Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for A Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME' Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has hardcoded nameservers Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: Nameservers: +217.119.211.10:53(2.11ms), +217.119.214.10:53(2.93ms) Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' NS (empty) to: 217.119.211.10, 217.119.214.10 Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 217.119.211.10:53, asking 'test.benchmaxx.de|A' Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 answers from (empty) (217.119.211.10), rcode=0 (No Error), aa=0, in 13ms Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept answer 'test.benchmaxx.de|A|2.2.2.2' from '.' nameservers? ttl=3600, place=1 YES! - This answer was received from a server we forward to. Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer '.' from '.' nameservers Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: : got initial zone status Indeterminate for record test.benchmaxx.de|A Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining status after receiving this packet Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: answer is in: resolved to '2.2.2.2|A' Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=got results, this level of recursion done Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: validation status is Indeterminate Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] answer to question 'test.benchmaxx.de|A': 1 answers, 0 additional, took 1 packets, 13.069 netw ms, 13.317 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] question for 'test.benchmaxx.de|AAAA' from 10.10.2.26:33182 Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants DNSSEC processing, auth data in query for AAAA Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for CNAME cache hit of 'test.benchmaxx.de|CNAME' Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME or DNAME cache hit of 'test.benchmaxx.de' found Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache hit for 'test.benchmaxx.de|AAAA', trying to find an appropriate NS record Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial validation status for test.benchmaxx.de is Indeterminate Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache consultations done, have 1 NS to contact Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has hardcoded nameservers Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: Nameservers: +217.119.214.10:53(2.93ms), +217.119.211.10:53(13.01ms) Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved '.' NS (empty) to: 217.119.214.10, 217.119.211.10 Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 217.119.214.10:53, asking 'test.benchmaxx.de|AAAA' Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 answers from (empty) (217.119.214.10), rcode=0 (No Error), aa=0, in 11ms Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept answer 'benchmaxx.de|SOA|ns3.komsa.net. root.ns3.komsa.net. 2020090101 10800 3600 604800 3600' from '.' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to. Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer '.' from '.' nameservers Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: determining status after receiving this packet Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: got negative caching indication for 'test.benchmaxx.de|AAAA' Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=noerror, other types may exist, but we are done (have negative SOA) Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] answer to question 'test.benchmaxx.de|AAAA': 0 answers, 0 additional, took 1 packets, 11.155 netw ms, 11.244 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 So my question is: is this behavior normal and intended? Thanks and best regards, Markus
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users