PowerDNS: forward requests for nonexistent records to another server for the same domain?

Question

Say I have two DNS servers providing records for a private domain.

DNS1: 192.168.1.10 - PowerDNS on Linux, primary authoritative
DNS2: 192.168.1.11 - Windows DNS for a custom application, acting as authoritative
Domain: mydomain.com

DNS1 is a "static" server and hosts a handful of A records that rarely or never change:

server-01.mydomain.com
gateway.mydomain.com
test.mydomain.com

DNS2 is a server accepting dynamic updates which connects with a custom application that requires Windows DNS, and hosts A records which can change in realtime:

dyn-100.mydomain.com
dyn-101.mydomain.com
iot-lights.mydomain.com
...

As is, both servers are "authoritative" for mydomain.com. However, they're each hosting different records. Both servers also host a reverse lookup domain with appropriate PTR records for the A records they know about.

I do not want to have to configure multiple DNS servers on clients.

Can I configure the PowerDNS server to automatically query the other server if it itself doesn't have a record that can fulfill the request?

Example: if I query DNS1 to lookup dyn-100.mydomain.com, it doesn't have a record for that host - so normally a NXDOMAIN reply would be delivered. Instead, I'd like DNS1, upon finding it can't fulfill the request, to query DNS2; if DNS2 replies with a valid record, DNS1 should forward that record on to the client. If DNS2 does not have a record either, then DNS1 should send the NXDOMAIN.

I understand that in this case DNS1 would likely be caching for DNS2 - that's fine as long as DNS1 obeys the TTL. That way I can setup dynamic records with low TTLs.

The same should work for PTR records in the reverse zone - if dyn-100.mydomain.com is at 192.168.1.100, then querying DNS1 for 100.1.168.192.in-addr.arpa should return dyn-100.mydomain.com. from DNS2.

The SOA record is configured to match on both hosts, so this isn't a problem, but in the (not a good idea) instance that the SOA's differ, the server being queried should return its SOA since it has one. In other words, DNS1 should only call over to DNS2 if it can't fulfill the request itself for the domain.

Is this possible?

EDIT: I would be OK with the idea of some form of replication, but I do not know if this is possible between Windows and PowerDNS. As in, I'd be happy with a scenario wherein once per hour, the PowerDNS server one-way syncs data from the Windows server, adding, updating and deleting records as necessary, and then having all queries come off the PowerDNS server. The caveat here is that records which exist locally in the PowerDNS server must never be removed, but records that the Windows server has had removed must be removed from the PowerDNS server. Putting the static records into the Windows DNS server won't work as it will interfere with the custom application.

Answer 1

If you put each of your static As (of which you do not appear to have many) into a zone of their own (so one zone per name!), you can just AXFR mydomain.com from Windows on every update. PowerDNS will allow the more specific zones to override the content in mydomain.com.

Alternatively, configure explicit forwarding in whatever recursor you are using - putting the list of static records in it pointing to DNS1 and the rest of the zone to DNS2.

If you don't want to do that in your recursor, you could put dnsdist on DNS1 to do the same splitting, but this again will require you to list the static names explicitly.

Answer 2

Yes you can do, but what is the point of having multiple DNS servers if clients are just going to get one!

you can use forward ( only | first ); with
forwarders { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] };
in your zone section. more info here