I have a bit weird setup with powerdns:
- For our company domain xxx.de, we have four NS entries in the public internet (at Nexinto). We run a hidden primary (called dns-ext) using Powerdns/Poweradmin, this works so far so good.
- Inside our Windows AD based network, we use the Windows-internal DNS server (called ad-master; our company domain is NOT the AD domain name to avoid confusions!)
- We have another server (called dns-int) inside the LAN that has Powerdns/Poweradmin, which serves the internal view of xxx.de; the AD server is configured to forward queries of company machines to this server
- dns-int runs pdns-recursor at UDP53, and pdns (the authoritative part) at UDP/54; recursor is configured to forward queries to xxx.de to localhost:54
- due to network security restrictions, dns-int can not directly connect to the Internet and "upstream" DNS requests must go through a dns proxy server
The problem is that right now when I want subdomains I have to create them both in dns-int and dns-ext, even if I do not want a split-view for this subdomain zone.
So I thought "okay, set in dns-int a.xxx.de NS a.prim-ns.de, place a forward entry for .=ip_of_proxy and it should work", which it did not because when asked for b.a.xxx.de dns-int could not ask at a.prim-ns.de - Powerdns tried to connect to a.prim-ns.de regardless of the . forward. CNAME'd records to public Internet addresses fail for the same reason - dns-int tries to resolve the CNAME which fails and returns just the CNAME record to ad-master, and ad-master does not want to resolve that CNAME entry for some reason.
There is no way to get outbound access for dns-int - so how can I make powerdns use the DNS proxy for all queries it cannot answer?
