I'm working though upgrading from 4.4 to the latest version. Tackling
issues one at a time. I'm trying to get usable log info on who I'm getting
queries from. I've never used ECS/EDNS before, I think it's what I need to
use to get what I want. I use dnsdist in front of both my recursor and auth
server all on the name server, same for my secondary. Please look at my
config and tell me what you think. I understand that the logs are showing
what's actually happening, as the query is from 127.0.0.1. I'd just like to
be able to get the originator ip too if possible.
Another thing, I'm not sure zone updates are being accepted by the
secondary. Is there anything different you have to do that changed since
4.4? It's like it sees the update from the loopback rather than from the
primary. Not sure if it's related to any of the ECS/EDNS options.
Thanks.
Running:
> openbsd-7.2
> dnsdist-1.7.2
> powerdns-4.6.3
> powerdns-recursor-4.7.3
Log showing dnsdist IP rather than originating client:
> pdns_recursor[67506]: 3 [1230/1] question for '
> chat-e2ee-mini.c10r.facebook.com|A' from 127.0.0.1:34556
>
pdns.conf:
> setuid=_powerdns
launch=gsqlite3
> gsqlite3-database=/var/db/pdns/pdns.sqlite3
> gsqlite3-dnssec
> allow-axfr-ips=192.168.100.14
> also-notify=192.168.100.14
> daemon=yes
> edns-subnet-processing=yes
> guardian=yes
> local-address=127.0.0.1:5300
> loglevel=5
> primary=yes
> secondary=no
recursor.conf:
> setuid=_pdns_recursor
> setgid=_pdns_recursor
> chroot=/var/pdns_recursor
> allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16,
> 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
> daemon=yes
> disable-syslog=no
> dnssec-log-bogus=yes
> forward-zones=mydomain.com=127.0.0.1:5300
> forward-zones+=sub.mydomain.com=127.0.0.1:5300
> forward-zones+=sub.otherdomain.org=127.0.0.1:5300
> local-address=127.0.0.1:5301
> log-common-errors=yes
> log-rpz-changes=yes
> logging-facility=0
> loglevel=4
> quiet=no
dnsdist.conf:
> setLocal('192.168.100.13:53')
> addLocal('127.0.0.1:53')
> setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
setECSOverride(true)
> setECSSourcePrefixV4(32)
> setECSSourcePrefixV6(128)
> newServer({address='127.0.0.1:5300', pool='auth', useClientSubnet=true})
> newServer({address='127.0.0.1:5301', pool='recursor',
> useClientSubnet=true})
> recursive_ips = newNMG()
> recursive_ips:addMask('10.0.0.0/8') -- These network masks are the ones
> from allow-recursion in the Authoritative Server
> recursive_ips:addMask('192.168.0.0/16')
> recursive_ips:addMask('172.16.0.0/12')
> recursive_ips:addMask('127.0.0.0/24')
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
