Closed HerrSammyDE closed 7 months ago
Hello @HerrSammyDE. Is discord.com
your hosted zone? Because if not, the authoritative powerdns server won't resolve public zones. The PDNS_resolver
option is only for internal purposes - https://doc.powerdns.com/authoritative/settings.html#resolver
You will probably also need the recursor
Hi @pschiffe, thanks for your quick reply!
I have added discord.com
via PowerDNS Admin. Of course I don't own this domain; it was just for testing purposes. I thought that might work. However, the error also occurs with my own domains.
Is it possible to run the recursor on the same server as the master
, or would you rather recommend a separate server for it?
I will then remove PDNS_resolver
. Do you think my configuration is otherwise correct, or do you have any suggestions for improvement?
If you added the zone via the pdns admin, it should work. Did you configure also the NS
records for the zone?
Temporarily set PDNS_loglevel=7
, PDNS_log_dns_details=yes
and PDNS_log_dns_queries=yes
, and check logs after you try the query. The error should be visible there.
Did you configure also the
NS
records for the zone?
I have set an NS record on my master and slave (ns1.domain.tld, ns2.domain.tld)
Here are my logs.
The domain also has the nameservers stored. I really don't know what to do. Could you maybe create the configs for me?
My configs are somehow correct, but somehow not 😅
Master log:
Jan 20 02:03:45 gmysql Connection successful. Connected to database 'powerdnsmaster' on '100.0.0.6'.
Jan 20 02:03:45 [webserver] 4db2512e-049b-42f6-86e6-9844d24e56ab Result for "/api/v1/servers/localhost/zones": 200, body length: 561
Jan 20 02:03:45 [webserver] 4db2512e-049b-42f6-86e6-9844d24e56ab 100.0.0.6:44758 "GET /api/v1/servers/localhost/zones HTTP/1.1" 200 893
Jan 20 02:03:46 1 domain for which we are primary or consumer need notifications
Jan 20 02:03:46 Queued also-notification of domain 'domain.tld' to 100.0.0.2:53
Jan 20 02:03:47 Received unsuccessful notification report for 'domain.tld' from 100.0.0.2:53, error: Query Refused
Jan 20 02:03:47 Removed from notification list: 'domain.tld' to 100.0.0.2:53 Query Refused
Slave log:
Jan 20 02:03:46 Remote 100.0.0.1 wants 'domain.tld|SOA', do = 0, bufsize = 512: packetcache MISS
Jan 20 02:03:46 Received NOTIFY for domain.tld from 100.0.0.1
Jan 20 02:03:46 Received NOTIFY for domain.tld from 100.0.0.1 for which we are not authoritative (Refused)
Recursor log:
root@ns-recursor:/opt/pdns-recursor# docker logs pdns-recursor
Jan 20 02:03:25 PowerDNS Recursor 4.9.2 (C) 2001-2022 PowerDNS.COM BV
Jan 20 02:03:25 Using 64-bits mode. Built using gcc 13.2.1 20231011 (Red Hat 13.2.1-4).
Jan 20 02:03:25 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jan 20 02:03:25 msg="If using IPv6, please raise sysctl net.ipv6.route.max_size to a size >= 16384" subsystem="config" level="0" prio="Error" tid="0" ts="1705716205.873" current="4096"
Jan 20 02:03:25 msg="Enabling IPv4 transport for outgoing queries" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.873"
Jan 20 02:03:25 msg="NOT using IPv6 for outgoing queries - add an IPv6 address (like '::') to query-local-address to enable" subsystem="config" level="0" prio="Warning" tid="0" ts="1705716205.873"
Jan 20 02:03:25 msg="Setting access control" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.875" acl="allow-from" addresses="100.0.0.1 100.0.0.2"
Jan 20 02:03:25 msg="Setting access control" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.875" acl="allow-notify-from" addresses="100.0.0.1 100.0.0.2"
Jan 20 02:03:25 msg="Will not send queries to" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.879" addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 ::/96 ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
Jan 20 02:03:25 msg="Inserting rfc 1918 private space zones" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.879"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.879" address="0.0.0.0" proto="UDP"
Jan 20 02:03:25 msg="Enabled TCP data-ready filter for (slight) DoS protection" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.879"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.879" address="0.0.0.0" protocol="TCP"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.880" address="0.0.0.0" proto="UDP"
Jan 20 02:03:25 msg="Enabled TCP data-ready filter for (slight) DoS protection" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.880"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.880" address="0.0.0.0" protocol="TCP"
Jan 20 02:03:25 msg="Set effective group id" subsystem="runtime" level="0" prio="Info" tid="0" ts="1705716205.880" gid="998"
Jan 20 02:03:25 msg="Set effective user" subsystem="runtime" level="0" tid="0" ts="1705716205.881" uid="998"
Jan 20 02:03:25 msg="Launching worker threads" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.882" count="2"
Jan 20 02:03:25 msg="Enabling web server" subsystem="runtime" level="0" prio="Info" tid="0" ts="1705716205.883"
Jan 20 02:03:25 msg="Listening for HTTP requests" subsystem="webserver" level="0" prio="Info" tid="0" ts="1705716205.883" address="0.0.0.0:8082"
Jan 20 02:03:25 msg="Enabled multiplexer" subsystem="runtime" level="0" prio="Info" tid="0" ts="1705716205.883" name="epoll"
Jan 20 02:03:30 msg="Polled security status of version, no known issues reported" subsystem="housekeeping" level="0" prio="Notice" tid="0" ts="1705716210.696" query="recursor-4.9.2.security-status.secpoll.powerdns.com" securitymessage="OK" status="1" version="4.9.2"
This error is about replication: Received unsuccessful notification report for 'domain.tld' from 100.0.0.2:53, error: Query Refused
Are domains ns1.domain.tld
and ns2.domain.tld
resolving to 100.0.0.1
and 100.0.0.2
?
But the problem will be most likely in the IP NAT inside of the container. If I assume correctly - 100.0.0.1
and 100.0.0.2
are IPs of the hosts where docker is running, but the containers themselves will have different IPs (something like 172....). I think this is the reason why it says Received NOTIFY for domain.tld from 100.0.0.1 for which we are not authoritative (Refused)
Quick and easy fix would be to drop the network namespace with network_mode: "host"
in the docker compose for both containers. Then you can also drop the ports:
section as the ports will bind directly on the host. In this mode, you cannot have authoritative server and resolver on the same host as both are using the same ports (53 tcp and udp).
Hi there, i just found the solution to the Docker NAT and rewriting Problem.
After the following Environment Change on the Slave DNS, it worked instantly <3 I have moved my configuration so much, that i need to find out, what the Minimal Viable Configuration is.
Primary Server runs on a Docker VM behind a VPN. The Slave is running on my Synology NAS at home.
- PDNS_trusted-notification-proxy=0.0.0.0/0
Primary Environment in Docker-Compose
environment:
# Datenbank Einstellung
- PDNS_gpgsql_password=my-secret-pw
# PDNS API
- PDNS_primary=yes
- PDNS_api=yes
- PDNS_api_key=secret
# Server Einstellung
- PDNS_local_address=0.0.0.0:5300
# Webserver
- PDNS_webserver=yes
- PDNS_default_ttl=60
- PDNS_webserver_address=0.0.0.0
- PDNS_webserver_allow_from=172.8.0.0/16
- PDNS_version_string=anonymous
# Domain Transfert Prüfung
- PDNS_disable_axfr=no
- PDNS_disable_axfr_rectify=yes
- PDNS_allow_axfr_ips=0.0.0.0/0
- PDNS_allow_notify_from=0.0.0.0/0
#- OFF_PDNS_allow_axfr_ips=<IP OF DOCKER HOST>
#- PDNS_only-notify=10.0.0.178
- PDNS_also_notify=<IP OF DOCKER HOST>:5300
# Primary / Secondary Setting
- PDNS_primary=yes
- PDNS_secondary=no
- PDNS_autosecondary=no
Secondary Environment in Docker-Compose
environment:
# Datenbank Einstellung
- PDNS_gpgsql_host=db
- PDNS_gpgsql_dbname=powerdnsslave
- PDNS_gpgsql_password=my-secret-pw
# PDNS API
- PDNS_api=yes
- PDNS_api_key=secret
- PDNS_version_string=anonymous
# Server Einstellung
- PDNS_local_address=0.0.0.0:5300
# Webserver
- PDNS_webserver=yes
- PDNS_default_ttl=60
- PDNS_webserver_address=0.0.0.0
- PDNS_webserver_allow_from=172.8.0.0/16
# Domain Transfert Prüfung
- PDNS_disable_axfr=no
- PDNS_disable_axfr_rectify=yes
- PDNS_allow_axfr_ips=0.0.0.0/0
- PDNS_allow_notify_from=0.0.0.0/0
- PDNS_trusted-notification-proxy=0.0.0.0/0
# Primary / Secondary Setting
- SUPERMASTER_IPS=172.8.0.1
- PDNS_secondary=yes
- PDNS_autosecondary=yes
This error is about replication:
Received unsuccessful notification report for 'domain.tld' from 100.0.0.2:53, error: Query Refused
Are domains
ns1.domain.tld
andns2.domain.tld
resolving to100.0.0.1
and100.0.0.2
?But the problem will be most likely in the IP NAT inside of the container. If I assume correctly -
100.0.0.1
and100.0.0.2
are IPs of the hosts where docker is running, but the containers themselves will have different IPs (something like 172....). I think this is the reason why it saysReceived NOTIFY for domain.tld from 100.0.0.1 for which we are not authoritative (Refused)
Quick and easy fix would be to drop the network namespace with
network_mode: "host"
in the docker compose for both containers. Then you can also drop theports:
section as the ports will bind directly on the host. In this mode, you cannot have authoritative server and resolver on the same host as both are using the same ports (53 tcp and udp).
I think a useful method would be to provide a complete example that can be used directly.
Unfortunately I gave up and didn't try any further. I will do it again though!
I tried to set up PowerDNS today, but I get
Received unsuccessful notification report for 'discord.com' from 100.0.0.2:53, error: Query Refused
at the master and unfortunately I don't know what to do.I have censored my server data, which is why the master has
100.0.0.1
and my slave100.0.0.2
as IP addresses.Here are my Docker-Compose Configs:
Master - docker-compose:
Slave - docker-compose:
I hope you can help me. Thanks!