Re: [Pdns-users] IPv4/IPv6 nameserver preference by recursor?

[bert hubert]

On Tue, Jun 15, 2010 at 05:10:11PM -0600, Darren Gamble wrote:
> We just wanted to get some information on how the recursor behaves when
> presented with a NS record set containing both IPv6 and IPv4 addresses,
> and/or if a NS record name has both A and  records.
> 
> If there a preference by the recursor to prefer one protocol over the
> other?

"It depends" - by default, the PowerDNS Recursor is setup for maximum
performance and minimum worries. In this case, that means that you need to
manually enable the use of IPv6 for resolution.

>From the manual:
 query-local-address6

  Send out local IPv6 queries from this address or addresses Disabled by
  default, which also disables outgoing IPv6 support. Since version 3.2,
  multiple addresses can be specified, separated by a comma. 

Since 3.1 or so, when query-local-address6 contains an address (:: works
fine), 'ANY' queries are used to get both the A and  addresses for
nameservers in one go.

IPv4 and IPv6 are treated absolutely equally, which means that the IP4/6
address that answers fastest gets most of the queries. In many cases this
means that IPv4 will win.

The Recursor does not actively seek out IPv6 addresses for a host if it
alread knows an IPv4 address for it and vice versa.

> How does the recursor handle a nameserver name with both A and 
> record types?  Is it capable of using both if one is unreachable?  Is
> there a preference?

So, yes it can and will use both, and it will use the fastest address.

The PowerDNS Recursor can even resolve quite some domains when operating
with *only* IPv6.

>From the log of a recursor with only IPv6:
[1] www.sidn.nl.: Resolved '.' NS c.root-servers.net. to: 192.33.4.12
[1] www.sidn.nl.: Trying IP 192.33.4.12:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: error resolving, possible error: Operation not permitted

[1] www.sidn.nl.: Resolved '.' NS f.root-servers.net. to: 2001:500:2f::f, 
192.5.5.241
[1] www.sidn.nl.: Trying IP [2001:500:2f::f]:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: Got 19 answers from f.root-servers.net. (2001:500:2f::f), 
rcode=0, in 149ms

[1] www.sidn.nl.: Resolved 'nl.' NS ns3.nic.nl. to: 2001:610:0:800d::2, 
194.171.17.2
[1] www.sidn.nl.: Trying IP [2001:610:0:800d::2]:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: Got 9 answers from ns3.nic.nl. (2001:610:0:800d::2), rcode=0, 
in 6ms

[1] www.sidn.nl.: Resolved 'sidn.nl.' NS open.nlnetlabs.nl. to: 213.154.224.1, 
2001:7b8:206:1::53
[1] www.sidn.nl.: Trying IP 213.154.224.1:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: error resolving, possible error: Operation not permitted
[1] www.sidn.nl.: Trying IP [2001:7b8:206:1::53]:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: Got 11 answers from open.nlnetlabs.nl. (2001:7b8:206:1::53), 
rcode=0, in 5ms
[1] www.sidn.nl.: accept answer 'www.sidn.nl.|A|213.136.31.216' from 'sidn.nl.' 
nameservers? YES!

Interestingly, when we added the IPv6 %link selection code to the
development tree (by your suggestion), the IPv6 outgoing support got
broken in the progress! 

Your message led me to verify the 'IPv6 only' claim, which uncovered this.

Fix in http://wiki.powerdns.com/trac/changeset/1638 - so please keep asking
the questions ;-)

This bug was never in any released version.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Running pdns-recursor without internet access

[bert hubert]

On Mon, Jun 14, 2010 at 11:56:01AM +0200, Wouter van Bommel wrote:
> Since a slave zone is not an option for the external domain I tried to
> setup the pdns-recursor.  This works nice.  But it does give me error
> regarding 'not being able to update .  zone'.  Which is explainable since
> there is no internet connection.
> 
> What is the best way in the above setup to get rid of these message's?

You could set up a root-hints file, or even hardcode the root-zone. In
general, the PowerDNS Recursor is not set up very well for running without
access to something that behaves as a root server.

I think that if you download a root-zone from
ftp://rs.internic.net/domain/root.zone and remove the last TXT line
('plenus'), you can feed it to PowerDNS as:

auth-zones=.=root.zone

This might solve your problem after the initial root-priming error.

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PDNS Recursor and reverse lookup

[Uroš Gruber]

Hi,

I've set up pdns_recursor and everything works as expected except one thing.
dig-ing reverse lookups returns nothing. With bind i have no such problems.
I've tested a bunch of IPs and I didn't get any answers.

Is this normal and pdns_recursor does not support this or there is a secret
setting I need to enable.

I'm using latest PDNS_recursor on FreeBSD and i only set local-ip in config.

regards

Uros
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor and reverse lookup

[bert.hub...@netherlabs.nl]

Can you show your exact dig command line and the result from powerdns and bind?

This is all supposed to work :)

Sent from my phone.

- Reply message -
From: "Uroš Gruber" 
Date: Wed, Jun 16, 2010 10:01
Subject: [Pdns-users] PDNS Recursor and reverse lookup
To: 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor and reverse lookup

[Uroš Gruber]

Hi,

here is result from one of IP

[r...@host1 ~]#dig @91.185.194.202 118.167.130.182

; <<>> DiG 9.4.3-P2 <<>> @91.185.194.202 118.167.130.182
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;118.167.130.182. IN A

;; AUTHORITY SECTION:
. 10774 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010061600 1800
900 604800 86400

;; Query time: 0 msec
;; SERVER: 91.185.194.202#53(91.185.194.202)
;; WHEN: Wed Jun 16 10:31:49 2010
;; MSG SIZE  rcvd: 108

[r...@host1 ~]#dig @91.185.194.206 118.167.130.182

; <<>> DiG 9.4.3-P2 <<>> @91.185.194.206 118.167.130.182
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
[r...@host1 ~]#host  118.167.130.182 91.185.194.202
Using domain server:
Name: 91.185.194.202
Address: 91.185.194.202#53
Aliases:

182.130.167.118.in-addr.arpa domain name pointer
118-167-130-182.dynamic.hinet.net.
[r...@host1 ~]#host  118.167.130.182 91.185.194.206
;; connection timed out; no servers could be reached

One thing I didn't quite understand is that bind have root.hint file but
powerdns does not. Could this be a problem?

regards

Uros

On Wed, Jun 16, 2010 at 10:14 AM, bert.hub...@netherlabs.nl <
bert.hub...@netherlabs.nl> wrote:

> Can you show your exact dig command line and the result from powerdns and
> bind?
>
> This is all supposed to work :)
>
> Sent from my phone.
>
> - Reply message -
> From: "Uroš Gruber" 
> Date: Wed, Jun 16, 2010 10:01
> Subject: [Pdns-users] PDNS Recursor and reverse lookup
> To: 
>
> Hi,
>
> I've set up pdns_recursor and everything works as expected except one
> thing. dig-ing reverse lookups returns nothing. With bind i have no such
> problems. I've tested a bunch of IPs and I didn't get any answers.
>
> Is this normal and pdns_recursor does not support this or there is a secret
> setting I need to enable.
>
> I'm using latest PDNS_recursor on FreeBSD and i only set local-ip in
> config.
>
> regards
>
> Uros
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor and reverse lookup

[bert hubert]

On Wed, Jun 16, 2010 at 10:34:30AM +0200, Uroš Gruber wrote:
> Hi,
> 
> here is result from one of IP

Try adding -x to the command line. From the 'dig' manpage: 

'The default query type is "A", unless the -x option is supplied to indicate
 a reverse lookup.'

> [r...@host1 ~]#dig @91.185.194.202 118.167.130.182
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7121
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

This answer is correct.

> One thing I didn't quite understand is that bind have root.hint file but
> powerdns does not. Could this be a problem?

PowerDNS Recursor has a built-in root.hint file (and can also load one from
disk), so this is not the problem.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor and reverse lookup

[Leen Besselink]

On 06/16/2010 10:34 AM, Uroš Gruber wrote:

Hi,



Hello Uroš,


here is result from one of IP

[r...@host1 ~]#dig @91.185.194.202  118.167.130.182



I think you might have a mistake there.

The proper command with dig would be, -x is for reverse address lookup:

dig @91.185.194.202  -x 118.167.130.182

; <<>> DiG 9.4.3-P2 <<>> @91.185.194.202  
118.167.130.182

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;118.167.130.182. IN A



As you can see above it does an A-record query, not a PTR-record 
(reverse address) query.



;; AUTHORITY SECTION:
. 10774 IN SOA a.root-servers.net . 
nstld.verisign-grs.com . 2010061600 
1800 900 604800 86400


;; Query time: 0 msec
;; SERVER: 91.185.194.202#53(91.185.194.202)
;; WHEN: Wed Jun 16 10:31:49 2010
;; MSG SIZE  rcvd: 108

[r...@host1 ~]#dig @91.185.194.206  118.167.130.182

; <<>> DiG 9.4.3-P2 <<>> @91.185.194.206  
118.167.130.182

; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
[r...@host1 ~]#host  118.167.130.182 91.185.194.202
Using domain server:
Name: 91.185.194.202
Address: 91.185.194.202#53
Aliases:

182.130.167.118.in-addr.arpa domain name pointer 
118-167-130-182.dynamic.hinet.net 
.

[r...@host1 ~]#host  118.167.130.182 91.185.194.206
;; connection timed out; no servers could be reached



I'm really surprised this does not work. I've never seen that happen.

Normally PowerDNS works just fine with that.

Do you made any 'forward-zones' settings ?

I would look at these settings first:

allow-from

Comma separated netmasks (both IPv4 and IPv6) that are allowed to 
use the server. The default allows access only from RFC 1918 private IP 
addresses, like 10.0.0.0/8. Due to the agressive nature of the internet 
these days, it is highly recommended to not open up the recursor for the 
entire internet. Questions from IP addresses not listed here are ignored 
and do not get an answer.

allow-from-file

Like allow-from, except reading from file. Overrides the 
'allow-from' setting. To use this feature, supply one netmask per line, 
with optional comments preceeded by a #. Available since 3.1.5.


As it seems you didn't get any answer at all.

Maybe you could send us the output of the following command:

grep -v '^#' recursor.conf | grep -v '^$'

that way we can see what settings you've used.


One thing I didn't quite understand is that bind have root.hint file 
but powerdns does not. Could this be a problem?




Their is a default root.hint built-in, you can specify 'your own' with 
the 'hint-file' option.



regards



Hope this helps,
Leen.


Uros

On Wed, Jun 16, 2010 at 10:14 AM, bert.hub...@netherlabs.nl 
 > wrote:


Can you show your exact dig command line and the result from
powerdns and bind?

This is all supposed to work :)

Sent from my phone.

- Reply message -
From: "Uroš Gruber" mailto:uros.gru...@gmail.com>>
Date: Wed, Jun 16, 2010 10:01
Subject: [Pdns-users] PDNS Recursor and reverse lookup
To: mailto:pdns-users@mailman.powerdns.com>>

Hi,

I've set up pdns_recursor and everything works as expected except
one thing. dig-ing reverse lookups returns nothing. With bind i
have no such problems. I've tested a bunch of IPs and I didn't get
any answers.

Is this normal and pdns_recursor does not support this or there is
a secret setting I need to enable.

I'm using latest PDNS_recursor on FreeBSD and i only set local-ip
in config.

regards

Uros



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
   


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] pDNS Recursor and forward-zones-file

[Sebastian Laubscher]

Hi Mates.

We're experiencing some "strange" behavior with pDNS Recursor (3.2 "static") 
and the forward-zones-file. Our Recursors are configured to forward a few 
hundred zones to other DNS servers, so our config is something like...:

forward-zones-file=/path/to/file

and the file itself contains multiple lines like...:

+zone.example=1.2.3.4,2.3.4.5
+example.domain=4.3.2.1

The thing is: if the Recursor forwards a query for zone.example to the 
authorative server 1.2.3.4 which is down or not responding, the query fails. 
Every query after this one will resolv correctly with 2.3.4.5. 

So, as soon as the first DNS server in line is offline, every Recursor will 
send at least one "query failed" to the clients before switching to the next 
server. Wouldn't it be more reliable to change the behavior to the opposite? 
First ask the other servers and only if no servers could be reached, send an 
error?

What if there are more than one zones on an offline server?

+zone.example=1.2.3.4,2.3.4.5
+other.example=1.2.3.4,2.3.4.5
+even.more.example=1.2.3.4,6.7.8.9
+last.example=1.2.3.4,4.3.2.1

Will there be one query error per server or per zone, before switching to the 
next IP?


Or did I get this wrong? 
Anyone with the same problem? 

Thanks,
  Sebastian
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Possible tcp listener issue

[Simon Bedford]

bert hubert wrote:

On Tue, Jun 15, 2010 at 02:23:04PM +0100, Simon Bedford wrote:

It contains some other exciting stuff too, and it appears to be stable for
production use.

I have now built a static package and installed to 2 of the 8
servers after testing in isolation, they appear to be running fine
and I can use the rec_control get tcp-clients now to see the number
reported.  We will monitor the new package for a week before rolling
out to the rest of the servers and let you know how that goes.


Ok - please check the 'get tcp-clients' every once in a while. I personally
expect that this version will still see tcp support die after a while under
your conditions.

Bert


I have been running the 'get tcp-clients' every 5 mins in cron on both 
servers, one is very low <10 and fluctuates, the other is just growing 
and growing and is currently at 55, hope this info is of value for debug.


Simon
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Possible tcp listener issue

[bert hubert]

On Wed, Jun 16, 2010 at 11:10:29AM +0100, Simon Bedford wrote:
> I have been running the 'get tcp-clients' every 5 mins in cron on
> both servers, one is very low <10 and fluctuates, the other is just
> growing and growing and is currently at 55, hope this info is of
> value for debug.

Is there any difference between these two servers in terms of:
* Operating system
* Number of processors
* Network configuration (load balancer?)
* Use (mail servers versus residential internet connections?)
* Anything else that comes to mind

Thanks!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Possible tcp listener issue

[Simon Bedford]

Please see answers below :-

bert hubert wrote:

On Wed, Jun 16, 2010 at 11:10:29AM +0100, Simon Bedford wrote:

I have been running the 'get tcp-clients' every 5 mins in cron on
both servers, one is very low <10 and fluctuates, the other is just
growing and growing and is currently at 55, hope this info is of
value for debug.


Is there any difference between these two servers in terms of:
* Operating system

No, both Debian Etch


* Number of processors

No, slightly faster processors in the one with the most clients


* Network configuration (load balancer?)

Different data centre but same network architecture, both loadbalanced.


* Use (mail servers versus residential internet connections?)

No, config is identical and use is only as a cachingDNS and NTP server


* Anything else that comes to mind
Nothing appears to be different, they are from a build that should be 
identical across the platform, although we will be looking to upgrade to 
Lenny in the near future.




Thanks!


Thanks

Simon


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pDNS Recursor and forward-zones-file

[bert.hub...@netherlabs.nl]

Hi,

Do you have --trace output of what you describe? This is not expected 
behaviour. Trace will show what is going on.

Bert.

Sent from my phone.

- Reply message -
From: "Sebastian Laubscher" 
Date: Wed, Jun 16, 2010 11:04
Subject: [Pdns-users] pDNS Recursor and forward-zones-file
To: "pdns-users@mailman.powerdns.com" 

Hi Mates.

We're experiencing some "strange" behavior with pDNS Recursor (3.2 "static") 
and the forward-zones-file. Our Recursors are configured to forward a few 
hundred zones to other DNS servers, so our config is something like...:

forward-zones-file=/path/to/file

and the file itself contains multiple lines like...:

+zone.example=1.2.3.4,2.3.4.5
+example.domain=4.3.2.1

The thing is: if the Recursor forwards a query for zone.example to the 
authorative server 1.2.3.4 which is down or not responding, the query fails. 
Every query after this one will resolv correctly with 2.3.4.5. 

So, as soon as the first DNS server in line is offline, every Recursor will 
send at least one "query failed" to the clients before switching to the next 
server. Wouldn't it be more reliable to change the behavior to the opposite? 
First ask the other servers and only if no servers could be reached, send an 
error?

What if there are more than one zones on an offline server?

+zone.example=1.2.3.4,2.3.4.5
+other.example=1.2.3.4,2.3.4.5
+even.more.example=1.2.3.4,6.7.8.9
+last.example=1.2.3.4,4.3.2.1

Will there be one query error per server or per zone, before switching to the 
next IP?


Or did I get this wrong? 
Anyone with the same problem? 

Thanks,
  Sebastian
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pDNS Recursor and forward-zones-file

[Sebastian Laubscher]

Hi again,

> Do you have --trace output of what you describe? This is not 
> expected behaviour. Trace will show what is going on.
Sorry for the waste of time - I don't know how I produced this
behavior, but now everything works as expected. 

Don't fuzzle with our test environment ;-)

Egg on my head,
  Sebastian
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor and reverse lookup

[Curtis Maurand]

dig ptr @91.185.194.202 118.167.130.182.in-addr.arpa

# dig ptr 60.42.39.24.in-addr.arpa

; <<>> DiG 9.4.3-P5 <<>> ptr 60.42.39.24.in-addr.arpa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52636
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;60.42.39.24.in-addr.arpa.  IN  PTR

;; ANSWER SECTION:
60.42.39.24.in-addr.arpa. 86400 IN  PTR acolyte.xyonet.com.

;; Query time: 87 msec
;; SERVER: 10.0.1.3#53(10.0.1.3)
;; WHEN: Wed Jun 16 13:45:23 2010
;; MSG SIZE  rcvd: 74



Curtis


On 6/16/2010 4:53 AM, bert hubert wrote:

On Wed, Jun 16, 2010 at 10:34:30AM +0200, Uroš Gruber wrote:
   

Hi,

here is result from one of IP
 

Try adding -x to the command line. From the 'dig' manpage:

'The default query type is "A", unless the -x option is supplied to indicate
  a reverse lookup.'

   

[r...@host1 ~]#dig @91.185.194.202 118.167.130.182
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 

This answer is correct.

   

One thing I didn't quite understand is that bind have root.hint file but
powerdns does not. Could this be a problem?
 

PowerDNS Recursor has a built-in root.hint file (and can also load one from
disk), so this is not the problem.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
   


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users