> On 7 May 2025, at 16:19, Nacho Oppo <nachoopp...@gmail.com> wrote: > > Hi, Frank > > > I believe I may not have explained the scenario clearly in my previous > messages. Let me try to clarify it with a simplified example, which might > better illustrate the situation: > > I have a server A with IP address dirip-A. When this server connects to > servidor1.dominio.com <http://servidor1.dominio.com/>, it must resolve to a > specific point-to-point IP: diripservidor1-serverA. > > I also have a server B with IP address dirip-B. When this one connects to > servidor1.dominio.com <http://servidor1.dominio.com/>, it must resolve to a > different IP: diripservidor1-serverB. >
Yes, Pdns-auth with LUA records (in MySQL or other) are a good solution for this. That's not the issue. > So, depending on the source of the DNS query, the same hostname > (servidor1.dominio.com <http://servidor1.dominio.com/>) must resolve to a > different IP address. This is exactly the kind of logic that LUA records in > PowerDNS can handle, and this part I have working as expected. > > However, the client also has another public server: > servidorpublico.dominio.com <http://servidorpublico.dominio.com/>, and this > one must be resolved via an external DNS resolver (for example, Google DNS at > 8.8.8.8), as it is not managed internally. > > What I’m struggling with is making the full combination work: > > Using LUA records for selected domains (like servidor1.dominio.com > <http://servidor1.dominio.com/>), > > And falling back to an external resolver for public domains (like > servidorpublico.dominio.com <http://servidorpublico.dominio.com/>) when no > local data is found. > Key is that either dnsdist (best) or pdns-rec (second best) will need to know which names are to be resolved by pdns-auth. Solve that, you've solved it. But don't try things like "have pdns-auth do resolving" or "intercept the nxdomain from auth and send elsewhere" or "have pdns-rec be auth". Frank > Best Regards > Nacho > > El mié, 7 may 2025 a las 16:07, <fr...@kiwazo.be <mailto:fr...@kiwazo.be>> > escribió: >> Hi Nacho, >> >> How "static" is the list of domains which need to resolve locally? Updated >> sub-second? Once every minute? Once every hour? >> >> I would not use pdns-recursor at all. I would let dnsdist be the first point >> of entry, with 2 pools: a "auth" pool and a resolver pool. >> >> Add the pdns-auth (with MySQL and Lua records) to the auth pool. Have >> pdns-auth ONLY serve the special records, with the lua handling. >> >> Add 8.8.8.8 (and maybe 1.1.1.1/9.9.9.9 <http://1.1.1.1/9.9.9.9> as well) to >> the resolver pool. Tell dnsdist to read a set of "special" domains from a >> text file. Tell it that IF (and only IF) the qname is part of the domains >> which is on the "special" list, it should send the query to the auth pool. >> In every other case (normal resolving), send it to the resolving pool >> (8.8.8.8 and others). >> >> To be VERY VERY VERY VERY clear: what you proposed in the first mail is very >> very very very bad practice. If the scoring of the project is done by >> somebody who has any real life experience with dns, you'd fail. We don't >> want you to fail. So with the advise I and others on the list have given >> you, please go back to the drawing board and rethink your design. >> >> Frank >> >>> On 7 May 2025, at 16:04, Nacho Oppo via Pdns-users >>> <pdns-users@mailman.powerdns.com <mailto:pdns-users@mailman.powerdns.com>> >>> wrote: >>> >>> Thanks William, >>> >>> I answer you between the lines >>> >>> 1. This is bad practice. >>> >>> It may be a bad practice, but it is the chosen one and it is the one that I >>> hope will give me the approval. >>> >>> >>> 2. The goal of an assignment can’t be to have someone else do it for you. >>> What’s the point? >>> >>> I am clear that it has to be this way, I need to understand it in order to >>> explain it. >>> >>> >>> 3. What have you tried? “It doesn’t work” doesn’t indicate any effort. >>> >>> I've installed and uninstalled the software several times, run separate >>> tests on the DNS server, and it resolves the names I put in the database. >>> However, the moment I try to add another DNS server to resolv.conf, it >>> stops responding to local DNS servers and goes online to look for them. >>> When I installed the Recursor, things got even worse because, despite not >>> having another DNS server in resolv.conf or the config, the service >>> resolved names for me, and I don't really understand how it did it. >>> >>> 4. Should a Computer Science assignment really be this high-level? >>> >>> They proposed it to me and I thought it wouldn't be as complicated as it's >>> turning out to be. >>> >>> Nacho. >>> >>> El mié, 7 may 2025 a las 10:27, William Edwards via Pdns-users >>> (<pdns-users@mailman.powerdns.com >>> <mailto:pdns-users@mailman.powerdns.com>>) escribió: >>>> 1. This is bad practice. >>>> 2. The goal of an assignment can’t be to have someone else do it for you. >>>> What’s the point? >>>> 3. What have you tried? “It doesn’t work” doesn’t indicate any effort. >>>> 4. Should a Computer Science assignment really be this high-level? >>>> >>>> William Edwards >>>> >>>> > Op 7 mei 2025 om 10:04 heeft Nacho Oppo via Pdns-users >>>> > <pdns-users@mailman.powerdns.com >>>> > <mailto:pdns-users@mailman.powerdns.com>> het volgende geschreven: >>>> > >>>> > >>>> > Dear "PowerDNS MailGroup", >>>> > >>>> > My name is Nacho, and I am a university student currently studying >>>> > Computer Science. I’m working on my final-year project, which involves >>>> > setting up a system that allows resolution of personal names using >>>> > PowerDNS. >>>> > >>>> > The goal is to configure PowerDNS so that it first checks an A record in >>>> > a MySQL backend, and if the record is not found o if database does´not >>>> > respond, it should forward the query to an external DNS server, such as >>>> > Google’s (8.8.8.8). >>>> > >>>> > From what I’ve read, this setup used to be possible directly with >>>> > PowerDNS, but now it seems that the use of a separate PowerDNS Recursor >>>> > in front is required. I’ve tried configuring it myself, but >>>> > unfortunately, I haven’t been able to make it work properly. >>>> > >>>> > If someone could share a working configuration for both PowerDNS >>>> > Authoritative and PowerDNS Recursor (for the current versions), or point >>>> > me to a complete example, I would be truly grateful. >>>> > >>>> > Thank you in advance for your time and help. >>>> > >>>> > Best regards, >>>> > Nacho >>>> > >>>> > _______________________________________________ >>>> > Pdns-users mailing list >>>> > Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> >>>> > https://mailman.powerdns.com/mailman/listinfo/pdns-users >>>> >>>> _______________________________________________ >>>> Pdns-users mailing list >>>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> >>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
