Local queries does not display domain records

Question

pdns Version: 0.0.2081g7b9b55d (Master branch and version 4.1)
pdns-recursor Version: 0.0.1960g7b9b55d (Master branch and version 4.1)
dnsdist Version: 1.2.0

There are 3 servers with galera backend on two of themes there are pdns + pdns-recursor + dnsdist

Configs from one of them:

/etc/pdns-recursor/recursor.conf

setuid=pdns-recursor
setgid=pdns-recursor
local-address=127.0.0.1
local-port=5301
hint-file=/etc/pdns-recursor/root.zone
allow-from=127.0.0.0/8

/etc/pdns/pdns.conf

setuid=pdns
setgid=pdns
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdns_user
gmysql-dbname=powerdns
gmysql-password=
allow-axfr-ips=127.0.0.0/8, 192.0.2.5/32
cache-ttl=60
control-console=no
default-soa-name=ns2.example.ru
default-soa-mail=support@example.ru
default-ttl=3600
disable-axfr=no
local-port=5300
local-address=127.0.0.1
do-ipv6-additional-processing=yes
log-dns-queries=yes
logging-facility=0
loglevel=4
master=yes
max-queue-length=5000
max-tcp-connections=20

/etc/dnsdist/dnsdist.conf

setLocal('127.0.0.1')
addLocal('192.0.1.5')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('192.0.1.0/24')
recursive_ips:addMask('192.0.2.0/24')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))

There are domains at the Authoritative server. e.g. google123.com

When i try to resolv this address from the IPs of allowed recursive_ips including @127.0.0.1, get those:

# dig ANY google123.com @192.0.1.5

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> ANY google123.com @192.0.1.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54293
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google123.com.         IN  ANY

;; AUTHORITY SECTION:
com.            2118    IN  SOA a.dns.ripn.net. hostmaster.ripn.net. 4032536 86400 14400 2592000 3600

;; Query time: 64 msec
;; SERVER: 192.0.1.5#53(192.0.1.5)
;; WHEN: Sat Jan 27 01:11:38 MSK 2018
;; MSG SIZE  rcvd: 102

If I try to resolv this domain from another network - get those:

#dig ANY google123.com @192.0.1.5
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> ANY google123.com @192.0.1.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34025
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;google123.com.                  IN      ANY

;; ANSWER SECTION:
google123.com.           86400   IN      A       192.0.1.7
google123.com.           86400   IN      NS      ns1.example.ru.
google123.com.           86400   IN      NS      ns2.example.ru.
google123.com.           86400   IN      SOA     ns1.example.ru. hostmaster.example.ru. 2018012603 28800 7200 604800 86400

;; ADDITIONAL SECTION:
ns1.example.ru.         86400   IN      A       192.0.1.5
ns2.example.ru.         86400   IN      A       192.0.2.5

;; Query time: 3 msec
;; SERVER: 192.0.1.5#53(192.0.1.5)
;; WHEN: Fri Jan 26 23:16:29 CET 2018
;; MSG SIZE  rcvd: 181

It seems, that recursor got answer and it`s OK.

How i can setup dnsdist to get answers about records of domains at Authoritative from IPs in recursive_ips. I tried different ways, but no one work.

Answer 1

Dnsdist will use the first matching action. With your config it will, depending on the source address, prefer the "recursor" pool, or otherwise use the "auth" pool. Ie, one or the other will be used to answer the current query, not some combination of the two.

Based on the results, it sounds like there is no delegation in place for the domains you have on pdns-auth, so when queries go to pdns-rec it has no way of resolving your local domains.

There are multiple ways of addressing this, depending on what the end goal actually is.

Options for making pdns-rec work with your domains

• Generally sensible option: get delegations in place for your zones on pdns-auth (you'll need this for the rest of the world to be able to resolve your domains, anyway).

• Alternative for local testing: configure pdns-rec with eg forward-zones to specifically tell it where to find your domains (eg forward-zones=example.org=192.0.2.1, example.net=192.0.2.1). This will obviously only work locally and may require configuring negative trust anchors (addNTA in Lua configuration) if dnssec validation is enabled.

Option for making dnsdist always send queries for your zones directly to pdns-auth

• You could configure dnsdist with a list of all your zone names and always direct those to the "auth" pool. Ie, construct a SuffixMatchNode with all your zone names and combine it with your rules. I suppose you could do something like addAction(AndRule({ NetmaskGroupRule(recursive_ips), NotRule(SuffixMatchNodeRule(my_zones)) }), PoolAction('recursor')) (or even just list the suffixes inline).