search

chrisss404 / powerdns

PowerDNS dnsdist, recursor, authoritative, and admin interface. Supports DNSCrypt, DoH, and DoT.
https://hub.docker.com/r/chrisss404/powerdns
MIT License
53 stars 20 forks source link

Domain not resolving ? #10

Closed kgnfth closed 3 years ago

kgnfth commented 3 years ago

i was running pdns without docker fine with only one server and one public ip but using docker my domain wont propagate

this is my config

version: '2.1'

services:

  admin:
    image: chrisss404/powerdns:latest-admin
    depends_on:
      - admin-db
      - authoritative
    environment:
      - ADMIN_PDNS_API_KEY=******
      - ADMIN_USER_PASSWORD=******
      - ADMIN_DB_PASS=******
      - ADMIN_DB_USER=pda
      - ADMIN_DB_NAME=pda
      - ADMIN_DB_HOST=admin-db
    networks:
      - admin-db
      - authoritative
    ports:
      - "80:3031"

  admin-db:
    image: postgres:12.1-alpine
    environment:
      - POSTGRES_DB=pda
      - POSTGRES_INITDB_ARGS=--data-checksums
      - POSTGRES_PASSWORD=******
      - POSTGRES_USER=pda
    networks:
      - admin-db

  authoritative:
    image: chrisss404/powerdns:latest-authoritative
    depends_on:
      - authoritative-db
    environment:
      - AUTHORITATIVE_API=yes
      - AUTHORITATIVE_API_KEY=******
      - AUTHORITATIVE_WEBSERVER=yes
      - AUTHORITATIVE_WEBSERVER_PASSWORD=******
      - AUTHORITATIVE_DB_PASS=******
      - AUTHORITATIVE_DB_USER=pdns
      - AUTHORITATIVE_DB_NAME=pdns
      - AUTHORITATIVE_DB_HOST=authoritative-db
    networks:
      authoritative:
        ipv4_address: 172.31.118.118
      authoritative-db:
    ports:
      - "8081:8081/tcp"

  authoritative-db:
    image: postgres:12.1-alpine
    environment:
      - POSTGRES_DB=pdns
      - POSTGRES_INITDB_ARGS=--data-checksums
      - POSTGRES_PASSWORD=******
      - POSTGRES_USER=pdns
    networks:
      - authoritative-db

  dnsdist:
    image: chrisss404/powerdns:latest-dnsdist
    environment:
      - DNSDIST_API_KEY=******
      - DNSDIST_PLAIN=yes
      - DNSDIST_QUIET=no
      - DNSDIST_WEBSERVER=yes
      - DNSDIST_WEBSERVER_PASSWORD=******
    networks:
      - recursor
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8083:8083/tcp"

  recursor:
    image: chrisss404/powerdns:latest-recursor
    environment:
      - RECURSOR_API_KEY=******
      - RECURSOR_DNSSEC=validate
      - RECURSOR_FORWARD_ZONES=sys=172.31.118.118
      - RECURSOR_QUIET=no
      - RECURSOR_TRUST_ANCHORS=sys=54970 13 1 27efe1c1a790c3cbb43b947d6d6dfac62507097e
      - RECURSOR_WEBSERVER=yes
      - RECURSOR_WEBSERVER_PASSWORD=******
    sysctls:
      - net.ipv6.route.max_size=16384
    networks:
      recursor:
        ipv4_address: 172.31.117.117
      authoritative:
    ports:
      - "8082:8082/tcp"

networks:
  admin-db:
  authoritative:
    ipam:
      driver: default
      config:
        - subnet: "172.31.118.0/24"
  authoritative-db:
  recursor:
    ipam:
      driver: default
      config:
        - subnet: "172.31.117.0/24"

i keep seeing logs like this

Nameserver zeus.domain.fun IPs: 135.531.135.33(915.82ms)
recursor_1 peertube.app.domain.fun: Resolved 'domain.fun' NS zeus.domain.fun to: 135.531.135.33
recursor_1 peertube.app.domain.fun: Trying IP 135.531.135.33:53, asking 'peertube.app.domain.fun|A'
recursor_1 peertube.app.domain.fun: query throttled 135.531.135.33, peertube.app.domain.fun; A
recursor_1 peertube.app.domain.fun: Failed to resolve via any of the 2 offered NS at level 'domain.fun'
recursor_1 peertube.app.domain.fun: failed (res=-1)
recursor_1 QM peertube.app.domain.fun.|A child=app.domain.fun: Step5 End resolve: Server Failure/0
recursor_1 [267/1] answer to question 'peertube.app.domain.fun|A': 0 answers, 1 additional, took 0 packets, 0 netw ms, 0 tot ms, 4 throttled, 0 timeouts, 0 tcp connections, rcode=2, dnssec=Indeterminate
recursor_1 question answered from packet cache tag=0 from 172.31.117.2:44257
recursor_1 question answered from packet cache tag=0 from 172.31.117.2:58791
recursor_1 question answered from packet cache tag=0 from 172.31.117.2:52712
recursor_1 question answered from packet cache tag=0 from 172.31.117.2:38241
recursor_1 question answered from packet cache tag=0 from 172.31.117.2:45096
recursor_1 question answered from packet cache tag=0 from 172.31.117.2:60271

How do i fix this. Sorry if this is a dumb question

kgnfth commented 3 years ago

FIXED !

just to be curious i changed RECURSOR_FORWARD_ZONES=sys=172.31.118.118 to RECURSOR_FORWARD_ZONES==172.31.118.118 without =sys= ! it did not work then i changed RECURSOR_FORWARD_ZONES==172.31.118.118 to RECURSOR_FORWARD_ZONES_RECURSE==172.31.118.118

and it started propagating

chrisss404 commented 3 years ago

Hi kgnfth,

can you elaborate on what you are trying to achieve?

If you only want to manage your own top-level domain (fun?), you can get rid of the services dnsdist and recursor and map the authoritative DNS port directly to the host. You can do that by moving the port definition (for port 53) from dnsdist to the authoritative service.

If you want to use the pdns recursor to resolve all kind of DNS queries and also want to be able to resolve your own top-level domain (fun?), you should forward queries for your top-level domain to your authoritative server. You can do that by setting the RECURSOR_FORWARD_ZONES environment variable like this: fun=172.31.118.118, also make sure to provide a valid trust anchor in RECURSOR_TRUST_ANCHORS in case you are using DNSSEC.

HTH & BR Christian

kgnfth commented 3 years ago

@chrisss404 Hi thx for commenting Exactly all i needed was the authoritative only

this setup works fine

version: '2.1'

services:

  gateway:
    image: jwilder/nginx-proxy:alpine
    volumes:
      - "/var/run/docker.sock:/tmp/docker.sock:ro"
      - "/etc/nginx/vhost.d"
      - "/usr/share/nginx/html"
      - "/etc/nginx/certs"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - authoritative

  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion:latest
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    volumes_from:
      - gateway
    networks:
      - authoritative

  admin:
    restart: always
    image: chrisss404/powerdns:latest-admin
    depends_on:
      - admin-db
      - authoritative
    environment:
      - VIRTUAL_HOST=pdnsadmin.redacted.fun
      - VIRTUAL_PORT=3031
      - LETSENCRYPT_EMAIL=admin@redacted.fun
      - LETSENCRYPT_HOST=pdnsadmin.redacted.fun
      - ADMIN_PDNS_API_KEY=****
      - ADMIN_USER_PASSWORD=****
      - ADMIN_DB_PASS=****
      - ADMIN_DB_USER=pda
      - ADMIN_DB_NAME=pda
      - ADMIN_DB_HOST=admin-db
    volumes_from:
      - gateway:ro
    networks:
      - admin-db
      - authoritative
    expose:
      - "3031"

  admin-db:
    restart: always
    image: postgres:12.1-alpine
    environment:
      - POSTGRES_DB=pda
      - POSTGRES_PASSWORD=****
      - POSTGRES_USER=pda
    volumes:
      - admin-db:/var/lib/postgresql/data
    networks:
      - admin-db

  authoritative:
    restart: always
    image: chrisss404/powerdns:latest-authoritative
    depends_on:
      - authoritative-db
    environment:
      - VIRTUAL_HOST=pdnsauthoritative.redacted.fun
      - VIRTUAL_PORT=8081
      - LETSENCRYPT_EMAIL=admin@redacted.fun
      - LETSENCRYPT_HOST=pdnsauthoritative.redacted.fun
      - AUTHORITATIVE_API=yes
      - AUTHORITATIVE_API_KEY=****
      - AUTHORITATIVE_WEBSERVER=yes
      - AUTHORITATIVE_WEBSERVER_PASSWORD=****
      - AUTHORITATIVE_DB_PASS=****
      - AUTHORITATIVE_DB_USER=pdns
      - AUTHORITATIVE_DB_NAME=pdns
      - AUTHORITATIVE_DB_HOST=authoritative-db
    volumes_from:
      - gateway:ro
    networks:
      authoritative:
        ipv4_address: 172.31.118.118
      authoritative-db:
    expose:
      - "8081"
    ports:
      - "53:53/tcp"
      - "53:53/udp"

  authoritative-db:
    restart: always
    image: postgres:12.1-alpine
    environment:
      - POSTGRES_DB=pdns
      - POSTGRES_PASSWORD=****
      - POSTGRES_USER=pdns
    volumes:
      - authoritative-db:/var/lib/postgresql/data
    networks:
      - authoritative-db

volumes:
  admin-db:
  authoritative-db:

networks:
  admin-db:
  authoritative:
    ipam:
      driver: default
      config:
        - subnet: "172.31.118.0/24"
  authoritative-db:

Thx for pointing me to the correct direction

Appendme commented 12 months ago

I used the configuration described in private-authoritative-server and got the same behavior. I noticed the following: if you go to webui recursor, then in the Servfail domain table you can see the address a.root-servers.net/A

chrisss404 commented 12 months ago

Please don't comment to issues that are older than 2 years.

Would you mind creating a new issue describing your setup and what you're trying to achieve?

BR Christian