I'm using PowerDNS (2.9.22) for my clients. Because it can store all data into MySQL database and it's easy for clients to edit their zones as they like.
Now I have a problem with CNAMEs:
Here are records into MySQL database:
+-----------------------+-------+-----------------------+
| localhost.example.com | A | 127.0.0.1 |
+-----------------------+-------+-----------------------+
| a.example.com | CNAME | localhost.example.com |
+-----------------------+-------+-----------------------+
| www.example.com | CNAME | andreyzentavr.com |
+-----------------------+-------+-----------------------+
PowerDNS config is here:
allow-recursion=127.0.0.1, 173.193.**.162, 173.193.**.163
allow-recursion-override=on
cache-ttl=20
config-dir=/etc/powerdns
daemon=yes
default-soa-name=ns3.bserver.com
disable-axfr=yes
guardian=no
launch=gmysql
gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-user=powerdns
gmysql-dbname=powerdns
gmysql-password=123123
lazy-recursion=yes
local-address=173.193.**.162, 173.193.**.163
local-port=53
log-dns-details=yes
log-failed-updates=yes
logfile=/var/log/pdns.log
loglevel=6
master=yes
max-queue-length=5000
max-tcp-connections=10
module-dir=/usr/lib/powerdns
query-logging=yes
recursor=127.0.0.1:53
setgid=pdns
setuid=pdns
skip-cname=no
slave=yes
slave-cycle-interval=600
soa-minimum-ttl=3600
soa-refresh-default=10800
soa-retry-default=3600
soa-serial-offset=0
socket-dir=/var/run
use-logfile=yes
wildcards=yes
version-string=powerdns
when I'm doing nslookup query, I got this:
server:~# nslookup
> set q=any
> server ns3.***.com
Default server: ns3.***.com
Address: 173.193.**.163#53
> a.example.com
Server: ns3.***.com
Address: 173.193.***.163#53
a.example.com canonical name =localhost.example.com.
Name: localhost.example.com
Address: 127.0.0.1
>
>
> www.example.com
Server: ns3.***.com
Address:
173.193.***.163#53
** server can't find www.example.com: NXDOMAIN
As you can see, if CNAME points to INTERNAL record - everything resolves fine. But if it points to external domain - I have an error.
andreyzentavr.com is existant domain and points to 194.126.204.41
Is it bug in PowerDNS? Or did I configure it wrongly?
Solution is to put the recursor in front of the authoritative server and configure the recursor to forward specific domains to the authoritative server using the forward-zones-recurse directive. Requires version 3.2 of the recursor.
Usually, with DNS, if you want to point a CNAME to an external record, you have to add a period to the end of the record (sub.domain.com.). When you leave off the final dot, DNS interprets it as a relative record (so sub.domain.com would be interpreted as sub.domain.com.domain.com, for example).
I would assume since you have an 'A' record for localhost.example.com set up in your database, PowerDNS sees that and knows that's the domain you mean to point to, even though you didn't make the other CNAME absolute (localhost.example.com.) or relative (just localhost in the hostname).
Related
I have a bunch of unbound + nsd, nsd has the reverse zones prescribed and it gives them normally:
nslookup 91.232.162.225 127.0.0.53
225.162.232.91.in-addr.arpa name = mysite.com.
And there are two configs in unbound for addresses on the local subnet:
server:
local-zone: "10.in-addr.arpa.
stub-zone:
name: "10.in-addr.arpa.
stub-addr: 127.0.0.53
and external addresses:
server:
local-zone: "91.in-addr.arpa.
stub-zone:
name: "91.in-addr.arpa.
stub-addr: 127.0.0.53
Everything is fine with local addresses, but for some reason it doesn't work with external addresses
nslookup 91.232.162.225
;; Got SERVFAIL reply from 91.232.162.225, trying next server
** server can't find 10.162.232.91.in-addr.arpa: NXDOMAIN
Maybe someone has faced with this, how to spell stub-zone for external ip correctly.
Thanks
BIND9 have very good function RPZ.
You can create DNS zone (like malware) and add malicious domains in it.
DNS server in response is giving my defined IP address aka DNS Firewall
[zone file]
...
$ORIGIN com.malware.
$TTL 5 ; 5 seconds
example A 127.0.0.1
[request]
$ dig example.com +short
127.0.0.1
[log]
(example.com): rpz QNAME Local-Data rewrite example.com/A/IN via example.com.malware
I wondering, if Windows Server 2019 DNS have the same native functionality?
I read all documentation regarding DNS Policy without any luck
I am trying to run a coredns plugin https://github.com/coredns/demo that returns 1.1.1.1 for 172.0.0.0/8 or 127.0.0.0/8 and 8.8.8.8 for everything else.
I run the binary and try to make a request from dig using dig example.org #localhost -p1053 +short which returns 1.1.1.1 since the request is sent from localhost
Is there anyway I can send a request from dig to coredns that it might look like to the DNS server that it is sent from another IP and it will return 8.8.8.8 instead?
From dig manual:
-b address[#port]
Set the source IP address of the query. The address must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be
specified by appending "#<port>"
Otherwise, if the server supports ECS (EDNS Client Subnet) you can use dig option +subnet=addr to give it to the server and see how its reply changes.
I have a website hosted on the following path: mywebsite.com/test with the following DNS
mywebsite.com A 1.2.3.4 (host ip)
host.mywebsite.com A 1.2.3.4 (host ip)
On another domain I'm trying to make a subdomain CNAME redirect to this page using the following:
link.myotherdomain.com CNAME . mywebsite.com/test
However when I access link.myotherdomain.com it shows the host.mywebsite.com instead of mywebsite.com
I'm doing something wrong?
Thanks
CNAME record cannot include path. It only for domin to domain.
This setting will work.
link.myotherdomain.com. CNAME mywebsite.com.
If configured properly, all of mywebsite.com host.mywebsite.com link.myotherdomain.com are resolve to 1.2.3.4, then the following HTTP request is sent to IP address 1.2.3.4.
GET /test HTTP/1.1
Host: link.myotherdomain.com
......(omit)
Now, the most suspiicious element is the Virtual Host setting of webserver.
This is a function of the web server that behaves as if it is a different server according to the Host value in the request header.
To survey about Virtual Host, the following might be the most simple method.
curl -H 'Host:mywebsite.com' http://1.2.3.4/test // this will ok
curl -H 'Host:link.myotherdomain.com' http://1.2.3.4/test // this will not ok if Virtual Host enabled
I have a centOS system(embedded and has very binaries) with the following /etc/hosts.
$cat /etc/hosts
127.0.0.1 localhost localhost
Also the host is assigned a DNS server which returns some invalid IP for the domain name lookup of localhost. But I cannot avoid a connection to this DNS due to some network restrictions.
My question is, when I already have a valid /etc/hosts file why is the system querying the DNS for localhost? And how can I stop that?
Any help would be greatly appreciated.
Check that you have files listed before dns for the hosts entry in /etc/nsswitch.conf.
[me#home]$ grep "^hosts" /etc/nsswitch.conf
hosts: files dns
If dns comes first, then your system will always query DNS to resolve hostnames before falling back to /etc/hosts.