search

pschiffe / docker-pdns

Docker images for PowerDNS
MIT License
270 stars 80 forks source link

Configuration problem #124

Closed HerrSammyDE closed 7 months ago

HerrSammyDE commented 8 months ago

I tried to set up PowerDNS today, but I get Received unsuccessful notification report for 'discord.com' from 100.0.0.2:53, error: Query Refused at the master and unfortunately I don't know what to do.

I have censored my server data, which is why the master has 100.0.0.1 and my slave 100.0.0.2 as IP addresses.

Here are my Docker-Compose Configs:

Master - docker-compose:

version: '3'

services:
  pdns-master:
    image: pschiffe/pdns-mysql
    container_name: pdns-master
    hostname: ns1.domain.tld
    ports:
      - "100.0.0.1:53:53"
      - "100.0.0.1:53:53/udp"
      - "100.0.0.1:8081:8081"
      - "100.0.0.1:8081:8081/udp"
    environment:
      - PDNS_master=yes
      - PDNS_api=yes
      - PDNS_api_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - PDNS_webserver=yes
      - PDNS_webserver_address=0.0.0.0
      - PDNS_webserver_allow_from=0.0.0.0/0
      - PDNS_webserver_password=XXXXXXXXX
      - PDNS_version_string=4.8.3
      - PDNS_default_ttl=1500
      - PDNS_allow_axfr_ips=100.0.0.2
      - PDNS_also_notify=100.0.0.2
      - PDNS_gmysql_host=XXXXXXXXX
      - PDNS_gmysql_port=3306
      - PDNS_gmysql_user=XXXXXXXXX
      - PDNS_gmysql_password=XXXXXXXXX
      - PDNS_gmysql_dbname=powerdnsmaster
      - PDNS_default_soa_content=ns1.domain.tld hostmaster.@ 0 10800 3600 604800 3600
      - PDNS_resolver=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4,9.9.9.9,149.112.112.112,2001:4860:4860::8888,2001:4860:4860::8844

Slave - docker-compose:


version: '3'

services:
  pdns-slave:
    image: pschiffe/pdns-mysql
    container_name: pdns-slave
    hostname: ns2.domain.tld
    ports:
      - "100.0.0.2:53:53"
      - "100.0.0.2:53:53/udp"
      - "100.0.0.2:8081:8081"
      - "100.0.0.2:8081:8081/udp"
    environment:
      - PDNS_slave=yes
      - PDNS_webserver=yes
      - PDNS_webserver_address=0.0.0.0
      - PDNS_webserver_allow_from=0.0.0.0/0
      - PDNS_webserver_password=XXXXXXXXX
      - PDNS_version_string=4.8.3
      - PDNS_disable_axfr=no
      - PDNS_allow_notify_from=100.0.0.1
      - PDNS_allow_axfr_ips=100.0.0.1
      - SUPERMASTER_IPS=100.0.0.1
      - PDNS_gmysql_host=XXXXXXXXX
      - PDNS_gmysql_port=3306
      - PDNS_gmysql_user=XXXXXXXXX
      - PDNS_gmysql_password=XXXXXXXXX
      - PDNS_gmysql_dbname=powerdnsslave1

I hope you can help me. Thanks!

pschiffe commented 8 months ago

Hello @HerrSammyDE. Is discord.com your hosted zone? Because if not, the authoritative powerdns server won't resolve public zones. The PDNS_resolver option is only for internal purposes - https://doc.powerdns.com/authoritative/settings.html#resolver

You will probably also need the recursor

HerrSammyDE commented 8 months ago

Hi @pschiffe, thanks for your quick reply!

I have added discord.com via PowerDNS Admin. Of course I don't own this domain; it was just for testing purposes. I thought that might work. However, the error also occurs with my own domains.

Is it possible to run the recursor on the same server as the master, or would you rather recommend a separate server for it?

I will then remove PDNS_resolver. Do you think my configuration is otherwise correct, or do you have any suggestions for improvement?

pschiffe commented 8 months ago

If you added the zone via the pdns admin, it should work. Did you configure also the NS records for the zone? Temporarily set PDNS_loglevel=7, PDNS_log_dns_details=yes and PDNS_log_dns_queries=yes, and check logs after you try the query. The error should be visible there.

HerrSammyDE commented 8 months ago

Did you configure also the NS records for the zone?

I have set an NS record on my master and slave (ns1.domain.tld, ns2.domain.tld)

HerrSammyDE commented 8 months ago

Here are my logs.

The domain also has the nameservers stored. I really don't know what to do. Could you maybe create the configs for me?

My configs are somehow correct, but somehow not 😅

Master log:

Jan 20 02:03:45 gmysql Connection successful. Connected to database 'powerdnsmaster' on '100.0.0.6'.
Jan 20 02:03:45 [webserver] 4db2512e-049b-42f6-86e6-9844d24e56ab Result for "/api/v1/servers/localhost/zones": 200, body length: 561
Jan 20 02:03:45 [webserver] 4db2512e-049b-42f6-86e6-9844d24e56ab 100.0.0.6:44758 "GET /api/v1/servers/localhost/zones HTTP/1.1" 200 893
Jan 20 02:03:46 1 domain for which we are primary or consumer need notifications
Jan 20 02:03:46 Queued also-notification of domain 'domain.tld' to 100.0.0.2:53
Jan 20 02:03:47 Received unsuccessful notification report for 'domain.tld' from 100.0.0.2:53, error: Query Refused
Jan 20 02:03:47 Removed from notification list: 'domain.tld' to 100.0.0.2:53 Query Refused

Slave log:

Jan 20 02:03:46 Remote 100.0.0.1 wants 'domain.tld|SOA', do = 0, bufsize = 512: packetcache MISS
Jan 20 02:03:46 Received NOTIFY for domain.tld from 100.0.0.1
Jan 20 02:03:46 Received NOTIFY for domain.tld from 100.0.0.1 for which we are not authoritative (Refused)

Recursor log:

root@ns-recursor:/opt/pdns-recursor# docker logs pdns-recursor
Jan 20 02:03:25 PowerDNS Recursor 4.9.2 (C) 2001-2022 PowerDNS.COM BV
Jan 20 02:03:25 Using 64-bits mode. Built using gcc 13.2.1 20231011 (Red Hat 13.2.1-4).
Jan 20 02:03:25 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jan 20 02:03:25 msg="If using IPv6, please raise sysctl net.ipv6.route.max_size to a size >= 16384" subsystem="config" level="0" prio="Error" tid="0" ts="1705716205.873" current="4096"
Jan 20 02:03:25 msg="Enabling IPv4 transport for outgoing queries" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.873"
Jan 20 02:03:25 msg="NOT using IPv6 for outgoing queries - add an IPv6 address (like '::') to query-local-address to enable" subsystem="config" level="0" prio="Warning" tid="0" ts="1705716205.873"
Jan 20 02:03:25 msg="Setting access control" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.875" acl="allow-from" addresses="100.0.0.1 100.0.0.2"
Jan 20 02:03:25 msg="Setting access control" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.875" acl="allow-notify-from" addresses="100.0.0.1 100.0.0.2"
Jan 20 02:03:25 msg="Will not send queries to" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.879" addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 ::/96 ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
Jan 20 02:03:25 msg="Inserting rfc 1918 private space zones" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.879"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.879" address="0.0.0.0" proto="UDP"
Jan 20 02:03:25 msg="Enabled TCP data-ready filter for (slight) DoS protection" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.879"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.879" address="0.0.0.0" protocol="TCP"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.880" address="0.0.0.0" proto="UDP"
Jan 20 02:03:25 msg="Enabled TCP data-ready filter for (slight) DoS protection" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.880"
Jan 20 02:03:25 msg="Listening for queries" subsystem="config" level="0" prio="Info" tid="0" ts="1705716205.880" address="0.0.0.0" protocol="TCP"
Jan 20 02:03:25 msg="Set effective group id" subsystem="runtime" level="0" prio="Info" tid="0" ts="1705716205.880" gid="998"
Jan 20 02:03:25 msg="Set effective user" subsystem="runtime" level="0" tid="0" ts="1705716205.881" uid="998"
Jan 20 02:03:25 msg="Launching worker threads" subsystem="config" level="0" prio="Notice" tid="0" ts="1705716205.882" count="2"
Jan 20 02:03:25 msg="Enabling web server" subsystem="runtime" level="0" prio="Info" tid="0" ts="1705716205.883"
Jan 20 02:03:25 msg="Listening for HTTP requests" subsystem="webserver" level="0" prio="Info" tid="0" ts="1705716205.883" address="0.0.0.0:8082"
Jan 20 02:03:25 msg="Enabled multiplexer" subsystem="runtime" level="0" prio="Info" tid="0" ts="1705716205.883" name="epoll"
Jan 20 02:03:30 msg="Polled security status of version, no known issues reported" subsystem="housekeeping" level="0" prio="Notice" tid="0" ts="1705716210.696" query="recursor-4.9.2.security-status.secpoll.powerdns.com" securitymessage="OK" status="1" version="4.9.2"
pschiffe commented 8 months ago

This error is about replication: Received unsuccessful notification report for 'domain.tld' from 100.0.0.2:53, error: Query Refused

Are domains ns1.domain.tld and ns2.domain.tld resolving to 100.0.0.1 and 100.0.0.2?

But the problem will be most likely in the IP NAT inside of the container. If I assume correctly - 100.0.0.1 and 100.0.0.2 are IPs of the hosts where docker is running, but the containers themselves will have different IPs (something like 172....). I think this is the reason why it says Received NOTIFY for domain.tld from 100.0.0.1 for which we are not authoritative (Refused)

Quick and easy fix would be to drop the network namespace with network_mode: "host" in the docker compose for both containers. Then you can also drop the ports: section as the ports will bind directly on the host. In this mode, you cannot have authoritative server and resolver on the same host as both are using the same ports (53 tcp and udp).

Houbsi commented 4 months ago

Hi there, i just found the solution to the Docker NAT and rewriting Problem.

After the following Environment Change on the Slave DNS, it worked instantly <3 I have moved my configuration so much, that i need to find out, what the Minimal Viable Configuration is.

Primary Server runs on a Docker VM behind a VPN. The Slave is running on my Synology NAS at home.

Fix

- PDNS_trusted-notification-proxy=0.0.0.0/0

docker-compose.yml

Primary Environment in Docker-Compose

    environment:
      # Datenbank Einstellung
      - PDNS_gpgsql_password=my-secret-pw
      # PDNS API
      - PDNS_primary=yes
      - PDNS_api=yes
      - PDNS_api_key=secret
      # Server Einstellung
      - PDNS_local_address=0.0.0.0:5300
      # Webserver
      - PDNS_webserver=yes
      - PDNS_default_ttl=60
      - PDNS_webserver_address=0.0.0.0
      - PDNS_webserver_allow_from=172.8.0.0/16
      - PDNS_version_string=anonymous
      # Domain Transfert Prüfung
      - PDNS_disable_axfr=no
      - PDNS_disable_axfr_rectify=yes
      - PDNS_allow_axfr_ips=0.0.0.0/0
      - PDNS_allow_notify_from=0.0.0.0/0
      #- OFF_PDNS_allow_axfr_ips=<IP OF DOCKER HOST>
      #- PDNS_only-notify=10.0.0.178
      - PDNS_also_notify=<IP OF DOCKER HOST>:5300
      # Primary / Secondary Setting
      - PDNS_primary=yes
      - PDNS_secondary=no
      - PDNS_autosecondary=no

Secondary Environment in Docker-Compose

    environment:
      # Datenbank Einstellung
      - PDNS_gpgsql_host=db
      - PDNS_gpgsql_dbname=powerdnsslave
      - PDNS_gpgsql_password=my-secret-pw
      # PDNS API
      - PDNS_api=yes
      - PDNS_api_key=secret
      - PDNS_version_string=anonymous
      # Server Einstellung
      - PDNS_local_address=0.0.0.0:5300
      # Webserver
      - PDNS_webserver=yes
      - PDNS_default_ttl=60
      - PDNS_webserver_address=0.0.0.0
      - PDNS_webserver_allow_from=172.8.0.0/16
      # Domain Transfert Prüfung
      - PDNS_disable_axfr=no
      - PDNS_disable_axfr_rectify=yes
      - PDNS_allow_axfr_ips=0.0.0.0/0
      - PDNS_allow_notify_from=0.0.0.0/0
      - PDNS_trusted-notification-proxy=0.0.0.0/0
      # Primary / Secondary Setting
      - SUPERMASTER_IPS=172.8.0.1 
      - PDNS_secondary=yes
      - PDNS_autosecondary=yes

Todo

HerrSammyDE commented 4 months ago

This error is about replication: Received unsuccessful notification report for 'domain.tld' from 100.0.0.2:53, error: Query Refused

Are domains ns1.domain.tld and ns2.domain.tld resolving to 100.0.0.1 and 100.0.0.2?

But the problem will be most likely in the IP NAT inside of the container. If I assume correctly - 100.0.0.1 and 100.0.0.2 are IPs of the hosts where docker is running, but the containers themselves will have different IPs (something like 172....). I think this is the reason why it says Received NOTIFY for domain.tld from 100.0.0.1 for which we are not authoritative (Refused)

Quick and easy fix would be to drop the network namespace with network_mode: "host" in the docker compose for both containers. Then you can also drop the ports: section as the ports will bind directly on the host. In this mode, you cannot have authoritative server and resolver on the same host as both are using the same ports (53 tcp and udp).

I think a useful method would be to provide a complete example that can be used directly.

Unfortunately I gave up and didn't try any further. I will do it again though!