1

I was previously using BIND for our office network. I've now moved to PowerDNS Authoritative, using a MySQL backend - and while all the local addresses are resolving just fine, my externally-hosted sites no longer resolve.

What I want, ideally, is to have a single domain which when viewed externally consists only of services hosted on Amazon, but when viewed internally includes those services and some internal hosts.

For example, here are some of the records:

play-consult.net IN SOA dns01.play-consult.net admin.play-consult.net 2018030103 604800 86400 2419200 604800
dns01.play-consult.net IN A 10.1.0.4
router01.play-consult.net IN A 10.1.0.1
sonarqube.play-consult.net IN NS ns-261.awsdns-32.com.

With BIND, this meant that requests for SonarQube would be answered by AWS Route53, which if you're outside our network is the primary nameserver for play-consult.net. However, now that I'm on PowerDNS, I get the NS record back but it never resolves. I had assumed that when I was using BIND that it was my local resolver which was then following the returned NS record to find the authoritative answer, but I'm starting to think that perhaps BIND was doing something that PowerDNS isn't?

I presume I could add a subdomain, either internal.play-consult.net answered authoritatively by PowerDNS, or cloud.play-consult.net answered by Route53 - but is there any way to keep these on the same subdomain as I had under Bind?

alitheg
  • 111
  • 5
  • It sounds like you also had BIND configured as a recursive resolver, which is arguably a misconfiguration when it is also authoritative -- recursive and authoritative resolution should be handled by different servers. Do you mean they no longer resolve *for you when testing* ...or for anyone? Using the `+trace` option with `dig` may be useful... but the behavior described so far should not prevent the delegation from working on the Internet. – Michael - sqlbot Mar 08 '18 at 12:43
  • Something similar can be observed when testing with `dig` (without `+trace`) if you delegate a subdomain from one hosted zone to another [using NS records in Route 53](https://stackoverflow.com/a/35785273/1695906) but it is because Route 53 is authoritative-only, not recursive, and it works fine -- it just tests strangely until you understand why it works that way. – Michael - sqlbot Mar 08 '18 at 12:47
  • They don't resolve for anyone on the internal network. `dig` returns the NS record but that's all. I'll try `+trace` and report back. I have also done delegation of subdomains between hosted zones in Route 53 - and that does seem to work correctly. – alitheg Mar 08 '18 at 14:05
  • I did think about adding a PDNS recursor in front - but without having a dedicated subdomain I couldn't figure out how that would work: to my (admittedly limited) knowledge it sounds like the recursor wouldn't have its own zone files (or DB) so how would I delegate specific records to Route 53 and the rest of the domain to PDNS? – alitheg Mar 08 '18 at 14:06
  • Adding `+trace` seems to just return *nothing*: without `+trace` I get `sonarqube.play-consult.net. 86400 IN NS ns-261.awsdns-32.com.` With it I get just a header and nothing else – alitheg Mar 08 '18 at 14:08

0 Answers0