PowerDNS on Linode is open recursor on the extra IP
I've been directed here by Linode support because they don't have experience with PowerDNS. I have a linode with PowerDNS server and no recursor package installed on Ubuntu Lucid. The config has:
allow-recursion=127.0.0.1
PowerDNS is still resolving anonymous requests on the extra IP address
$ dig google.com @
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29999
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 262 IN A 74.125.235.131
google.com. 262 IN A 74.125.235.132
google.com. 262 IN A 74.125.235.135
google.com. 262 IN A 74.125.235.130
google.com. 262 IN A 74.125.235.136
google.com. 262 IN A 74.125.235.134
google.com. 262 IN A 74.125.235.128
google.com. 262 IN A 74.125.235.133
google.com. 262 IN A 74.125.235.129
google.com. 262 IN A 74.125.235.137
google.com. 262 IN A 74.125.235.142
;; Query time: 397 msec
;; SERVER:
;; WHEN: Thu Sep 26 21:52:40 ICT 2013
;; MSG SIZE rcvd: 204
ifconfig reports this for the interface in question:
eth0:1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:68
Do any of you have a workaround or any suggestions of what to look for to debug this problem? I'm kinda stuck with PowerDNS.
2 Replies
@sammys:
Hi there,
I've been directed here by Linode support because they don't have experience with PowerDNS. I have a linode with PowerDNS server and no recursor package installed on Ubuntu Lucid. The config has:
allow-recursion=127.0.0.1
PowerDNS is still resolving anonymous requests on the extra IP address
$ dig google.com @
; <<>> DiG 9.8.5-P1 <<>> google.com @ ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29999
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 262 IN A 74.125.235.131
google.com. 262 IN A 74.125.235.132
google.com. 262 IN A 74.125.235.135
google.com. 262 IN A 74.125.235.130
google.com. 262 IN A 74.125.235.136
google.com. 262 IN A 74.125.235.134
google.com. 262 IN A 74.125.235.128
google.com. 262 IN A 74.125.235.133
google.com. 262 IN A 74.125.235.129
google.com. 262 IN A 74.125.235.137
google.com. 262 IN A 74.125.235.142
;; Query time: 397 msec
;; SERVER:
#53( ) ;; WHEN: Thu Sep 26 21:52:40 ICT 2013
;; MSG SIZE rcvd: 204
ifconfig reports this for the interface in question:
eth0:1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:
Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:68
Do any of you have a workaround or any suggestions of what to look for to debug this problem? I'm kinda stuck with PowerDNS.
Are you sure allow-recursion is a valid option in the config file?
According to the PDNS recursor documentation [0]:
allow-from
Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918 private IP addresses, like 10.0.0.0/8. Due to the aggressive nature of the internet these days, it is highly recommended to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do not get an answer.
[0] -
After a little more digging (pun intended) I found a dnsmasq daemon running and it was responsible for the recursion. Disabling that and it's all good. We can consider this case closed. Thanks for your input.