Solved PowerDNS refuses to resolve freebsd.org

ShelLuser

Son of Beastie

Thanks: 1,385
Messages: 2,952

#1
Hi gang,

A few weeks back I discovered PowerDNS and immediately took a serious liking to it. It required a bit of a study to make it work (for example: it separates the concept of a DNS server with that of a DNS resolver) but now that I got it to work I'm very pleased with it. I even prefer it over Bind/named these days.

However, quite recently something odd began to happen: the server refuses to resolve freebsd.org, as a result several e-mails originating from FreeBSD's website got bounced because Postfix suddenly figured that the domain was invalid.

I noticed that the firewall is related to the problem because as soon as I disable it the domain gets resolved again (note: firewall got briefly disabled, and because the server is behind a filtered connection the risk is minimal), once enabled it eventually breaks.

The weird thing though is that it has no issues resolving other domains. From microsoft.com to linux.org, no issues. But freebsd.org (and also samba.org) are causing problems.

I just noticed that both domains are registered with Gandi so now I'm beginning to wonder if that could be related to my problems. It's weird that only these two "gandi domains" give me an error whereas other domains resolve easily.

Any ideas?
 

Oko

Daemon

Thanks: 761
Messages: 1,620

#2
Hi gang,

A few weeks back I discovered PowerDNS and immediately took a serious liking to it. It required a bit of a study to make it work (for example: it separates the concept of a DNS server with that of a DNS resolver) but now that I got it to work I'm very pleased with it. I even prefer it over Bind/named these days.
Tell me that I am hallucinating due to those pills you prescribed to me few weeks ago. You are playing with PowerDNS. I can't believe. When I mentioned NSD (DNS server) and Unbound (DNS resolver) in a thread

https://forums.freebsd.org/threads/63078/#post-364536

you declared me legally insane and pledge never to hire me for your multi-billion dollar high tech company in any capacity and as a DNS administrator in particular. What has happened in the mean time?
 

lebarondemerde

Daemon

Thanks: 636
Messages: 1,452

#3
The weird thing though is that it has no issues resolving other domains. From microsoft.com to linux.org, no issues. But freebsd.org (and also samba.org) are causing problems.

I just noticed that both domains are registered with Gandi so now I'm beginning to wonder if that could be related to my problems. It's weird that only these two "gandi domains" give me an error whereas other domains resolve easily.

Any ideas?
Were they eventually cached already before the problem begins? Are you using something at DNS level to filter ads and such?

I do not know dns/powerdns. dns/unbound and dns/nsd in here.
 

OlivierW

Member

Thanks: 3
Messages: 39

#4
As you mention the firewall: do you have port 53 open for both UDP and TCP? freebsd.org and samba.org both have DNSSEC, so may use TCP instead of UDP.
 
OP
OP
ShelLuser

ShelLuser

Son of Beastie

Thanks: 1,385
Messages: 2,952

#5
As you mention the firewall: do you have port 53 open for both UDP and TCP? freebsd.org and samba.org both have DNSSEC, so may use TCP instead of UDP.
Thanks for the tip, that was it.

I don't fully understand yet why it isn't working because both protocols are set up in the firewall, but as soon as I told PowerDNS not to use DNSSEC things started working again right away. Now that I got things working I can take my time to further study DNSSEC and come up with a proper solution for my firewall.

Thanks again :)
 

OlivierW

Member

Thanks: 3
Messages: 39

#7
You're welcome :)
DNS normally uses UDP, but when answers are too big*, it switches to TCP. With DNSSEC, the answers are bigger than usual so it often uses TCP. But you can also find big answers with ANY requests, or TXT requests with lot of content, with or without DNSSEC.


*I'm not sure of the definition of "too big" in the DNS world, I think it depends how the DNS servers are setup. Big UDP answers are often blocked to prevent amplification attacks.
 
Top