On Tue, Apr 29, 2025 at 03:18:44PM +0100, Robby Pedrica via Pdns-users wrote:
> Hi pdns community > > I've got an odd issue where some clients do not get a response from either > of my 2 recursors. Both are v5.1.4 deployed via docker with fairly std > configs. Generally the logs will indicate if something is not in the > allowed-from list but these clients don't show there. For all intents and > purposes, the recursors work normally and well for all my other clients. > Since you left out specifics, it's not possible for us to see what is going wrong. Please read https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open and try again with no information edited except secrets like passwords. -Otto > Design: > > client ---> firewall --- ipsec vpn --- firewall ---> recursor ---> internet > > Troubleshooting: > > - check for blocks due to allow_from (nothing listed for these clients) > - check local firewall rules (nothing special or different for specific > clients) > - tcpdump on the recursor hosts show queries hitting those hosts > - pcaps on both firewalls show good traffic > - the start of the logs show the ACL for allow_from is correct > > PDNS-rec Config: > ------------------------ > > // > /######### SECTION incoming ######### > incoming: > listen: > - 0.0.0.0 > - '::' > allow_from: > - x.x.x.x/y > - etc. > > port: 53 > proxy_protocol_from: [a.a.a.a/b] > use_incoming_edns_subnet: true > max_tcp_clients: 128/ > // > > > PDNS-rec docker config: > --------------------------------- > > // > /--- > version: '2.0' > services: > recursor: > image: powerdns/pdns-recursor-51:latest > restart: always > ports: > - "53:53" > - "53:53/udp" > - "8082:8082" > logging: > driver: "syslog" > volumes: > - ./recursor.yml:/etc/powerdns/recursor.yml > - ./named.root.txt:/etc/named.root.txt > - ./proxy-map.lua:/etc/proxy-map.lua/ > // > > PDNS-rec logs: > --------------------- > > recursor_1 | Apr 29 13:53:49 PowerDNS Recursor 5.1.4 (C) PowerDNS.COM BV > recursor_1 | Apr 29 13:53:49 Using 64-bits mode. Built using gcc 10.2.1 > 20210110 on Apr 8 2025 10:17:24 by root@localhost. > recursor_1 | Apr 29 13:53:49 PowerDNS comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it according to > the terms of the GPL version 2. > recursor_1 | Apr 29 13:53:49 msg="Processing main YAML settings" > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121" > path="/etc/powerdns/recursor.yml" > recursor_1 | Apr 29 13:53:49 msg="YAML config found and processed" > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121" > configname="/etc/powerdns/recursor.yml" > recursor_1 | Apr 29 13:53:49 msg="Enabling IPv4 transport for outgoing > queries" subsystem="config" level="0" prio="Notice" tid="0" > ts="1745934829.123" > recursor_1 | Apr 29 13:53:49 msg="Setting access control" > subsystem="config" level="0" prio="Info" tid="0" ts="1745934829.125" > acl="allow-from" addresses="x.x.x.x/y a.a.a.a/b etc." > recursor_1 | Apr 29 13:53:49 msg="Will not send queries to" > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.132" > addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16 > 192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8 > 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 ::/96 > ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::" > > PDNS-rec host pcap: > ------------------------------ > > tcpdump -i any -v 'host <client-ip>' > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size > 262144 bytes > 14:01:49.419703 IP (tos 0x0, ttl 124, id 45946, offset 0, flags [none], > proto UDP (17), length 83) > <client-hostname>.65424 > <recursor-hostname>.domain: 16579+ [1au] A? > canary.officeapps.live.com. (55) > 14:01:49.419758 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none], > proto UDP (17), length 83) > <client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A? > canary.officeapps.live.com. (55) > 14:01:49.419766 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none], > proto UDP (17), length 83) > <client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A? > canary.officeapps.live.com. (55) > > Any ideas on what could be wrong or what I'm missing here is appreciated. > > Regards > > Robby > > > > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
