The logs (in your original post) are redacted. So we cannot correlate
the log lines with your config. If posting unredacted logs is not
possible we cannot help you here.
-Otto
On Thu, May 08, 2025 at 03:00:37PM +0100, Robby Pedrica wrote:
>
>
> On 2025/04/30 12:41, Otto Moerbeek wrote:
> > On Tue, Apr 29, 2025 at 03:18:44PM +0100, Robby Pedrica via Pdns-users
> > wrote:
> >
> > > Hi pdns community
> > >
> > > I've got an odd issue where some clients do not get a response from either
> > > of my 2 recursors. Both are v5.1.4 deployed via docker with fairly std
> > > configs. Generally the logs will indicate if something is not in the
> > > allowed-from list but these clients don't show there. For all intents and
> > > purposes, the recursors work normally and well for all my other clients.
> > >
> > Since you left out specifics, it's not possible for us to see what is
> > going wrong. Please read
> > https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open
> > and try again with no information edited except secrets like
> > passwords.
> >
> > -Otto
> Hi Otto
>
> 1 - thank you very much for your reply
>
> 2 - my apologies for the delayed response however I've been travelling the
> last week
>
> 3 - I intimately understand the requirement to provide as much information
> as possible as I provide support myself; in this case, I spent a significant
> amount of time troubleshooting and collecting information on the issue - |I
> thought I had provided everything relevant but it's clear from your reply
> that that is not the case; however what is not clear, is what I left out
> (and the provided link does not assist with specifics either).
>
> I'm going to make the assumption that you are referring to the recursor.yml
> configuration file, and therefore provide that here in full (minus secrets):
>
> ///
> ######### SECTION incoming #########
> incoming:
> listen:
> - 0.0.0.0
> - '::'
> allow_from:
> # - 0.0.0.0/0
> - 127.0.0.1
> - 172.0.0.0/8 # docker networks
> - 10.10.10.0/24 # client subnet
>
> ##### The load factor used when PowerDNS is distributing queries to worker
> threads
> # distribution_load_factor: 0.0
> ##### Launch this number of distributor threads, distributing queries to
> other threads
> # distributor_threads: 0
> port: 53
> proxy_protocol_from: [105.55.55.33/32]
> use_incoming_edns_subnet: true
> ##### Maximum number of requests handled concurrently per TCP connection
> # max_concurrent_requests_per_tcp_connection: 10
> ##### Maximum number of simultaneous TCP clients
> max_tcp_clients: 128
>
> ######### SECTION logging #########
> logging:
> common_errors: true
> disable_syslog: false
> # facility: ''
> loglevel: 6
> ##### Suppress logging of questions and answers
> quiet: false
>
> ######### SECTION nod #########
> nod:
> ##### Log newly observed domains.
> log: true
> ##### Track newly observed domains (i.e. never seen before).
> # tracking: false
>
> ######### SECTION outgoing #########
> outgoing:
> edns_subnet_allow_list: !override
> - 0.0.0.0/0.
> max_busy_dot_probes: 50
>
> ######### SECTION packetcache #########
> packetcache:
> ##### Disable packetcache
> # disable: false
>
> ######### SECTION recursor #########
> recursor:
> daemon: false
> etc_hosts_file: /etc/hosts
> hint_file: /etc/named.root.txt
> lua_config_file: /etc/proxy-map.lua
> ##### Launch this number of threads listening for and processing TCP queries
> # tcp_threads: 1
> ##### Launch this number of threads
> threads: 4
> ##### string reported on version.pdns or version.bind
> # version_string: '*runtime determined*'
> write_pid: true
>
> ######### SECTION webservice #########
> webservice:
> address: 0.0.0.0
> allow_from: !override
> - 10.10.11.0/24
> api_key: ---
> ##### Amount of logging in the webserver (none, normal, detailed)
> loglevel: normal
> password: ---
> port: 8082
> webserver: true
>
> ######### SECTION dnssec #########
> dnssec:
> log_bogus: false
> max_dnskeys: 2
> validation: process
>
> ######### SECTION ecs #########
> ecs:
> ##### List of client netmasks for which EDNS Client Subnet will be added
> add_for:
> - 0.0.0.0/0
> - ::/0
> ///
>
> The related proxy-map.lua:
>
> ///
> -- protobufServer("10.10.11.50:514" , "maxQueuedEntries=100",
> "logQueries=true", "logResponses=true", "logMappedFrom=false")
> protobufServer("10.10.11.50:514")
>
> -- AE
> addProxyMapping("10.10.10.0/24", "41.55.55.33")
> ///
>
> I can't provide less sanitised information in the pcap and logs as that
> would expose sensitive information (which I think is reasonably sanitised).
> But let me know on this point in any case.
>
> If you are however referring to something else, then I would appreciate you
> specifying the additional information that you would require to assist me in
> collecting that info.
>
> Appreciate your time
>
> Robby
>
> >
> > > Design:
> > >
> > > client ---> firewall --- ipsec vpn --- firewall ---> recursor --->
> > > internet
> > >
> > > Troubleshooting:
> > >
> > > - check for blocks due to allow_from (nothing listed for these clients)
> > > - check local firewall rules (nothing special or different for specific
> > > clients)
> > > - tcpdump on the recursor hosts show queries hitting those hosts
> > > - pcaps on both firewalls show good traffic
> > > - the start of the logs show the ACL for allow_from is correct
> > >
> > > PDNS-rec Config:
> > > ------------------------
> > >
> > > //
> > > /######### SECTION incoming #########
> > > incoming:
> > > listen:
> > > - 0.0.0.0
> > > - '::'
> > > allow_from:
> > > - x.x.x.x/y
> > > - etc.
> > >
> > > port: 53
> > > proxy_protocol_from: [a.a.a.a/b]
> > > use_incoming_edns_subnet: true
> > > max_tcp_clients: 128/
> > > //
> > >
> > >
> > > PDNS-rec docker config:
> > > ---------------------------------
> > >
> > > //
> > > /---
> > > version: '2.0'
> > > services:
> > > recursor:
> > > image: powerdns/pdns-recursor-51:latest
> > > restart: always
> > > ports:
> > > - "53:53"
> > > - "53:53/udp"
> > > - "8082:8082"
> > > logging:
> > > driver: "syslog"
> > > volumes:
> > > - ./recursor.yml:/etc/powerdns/recursor.yml
> > > - ./named.root.txt:/etc/named.root.txt
> > > - ./proxy-map.lua:/etc/proxy-map.lua/
> > > //
> > >
> > > PDNS-rec logs:
> > > ---------------------
> > >
> > > recursor_1 | Apr 29 13:53:49 PowerDNS Recursor 5.1.4 (C) PowerDNS.COM BV
> > > recursor_1 | Apr 29 13:53:49 Using 64-bits mode. Built using gcc 10.2.1
> > > 20210110 on Apr 8 2025 10:17:24 by root@localhost.
> > > recursor_1 | Apr 29 13:53:49 PowerDNS comes with ABSOLUTELY NO WARRANTY.
> > > This is free software, and you are welcome to redistribute it according to
> > > the terms of the GPL version 2.
> > > recursor_1 | Apr 29 13:53:49 msg="Processing main YAML settings"
> > > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121"
> > > path="/etc/powerdns/recursor.yml"
> > > recursor_1 | Apr 29 13:53:49 msg="YAML config found and processed"
> > > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.121"
> > > configname="/etc/powerdns/recursor.yml"
> > > recursor_1 | Apr 29 13:53:49 msg="Enabling IPv4 transport for outgoing
> > > queries" subsystem="config" level="0" prio="Notice" tid="0"
> > > ts="1745934829.123"
> > > recursor_1 | Apr 29 13:53:49 msg="Setting access control"
> > > subsystem="config" level="0" prio="Info" tid="0" ts="1745934829.125"
> > > acl="allow-from" addresses="x.x.x.x/y a.a.a.a/b etc."
> > > recursor_1 | Apr 29 13:53:49 msg="Will not send queries to"
> > > subsystem="config" level="0" prio="Notice" tid="0" ts="1745934829.132"
> > > addresses="127.0.0.0/8 10.0.0.0/8 100.64.0.0/10 169.254.0.0/16
> > > 192.168.0.0/16 172.16.0.0/12 ::1/128 fc00::/7 fe80::/10 0.0.0.0/8
> > > 192.0.0.0/24 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 ::/96
> > > ::ffff:0:0/96 100::/64 2001:db8::/32 0.0.0.0 ::"
> > >
> > > PDNS-rec host pcap:
> > > ------------------------------
> > >
> > > tcpdump -i any -v 'host <client-ip>'
> > > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
> > > size
> > > 262144 bytes
> > > 14:01:49.419703 IP (tos 0x0, ttl 124, id 45946, offset 0, flags [none],
> > > proto UDP (17), length 83)
> > > <client-hostname>.65424 > <recursor-hostname>.domain: 16579+ [1au] A?
> > > canary.officeapps.live.com. (55)
> > > 14:01:49.419758 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none],
> > > proto UDP (17), length 83)
> > > <client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A?
> > > canary.officeapps.live.com. (55)
> > > 14:01:49.419766 IP (tos 0x0, ttl 123, id 45946, offset 0, flags [none],
> > > proto UDP (17), length 83)
> > > <client-hostname>.65424 > 172.24.0.2.domain: 16579+ [1au] A?
> > > canary.officeapps.live.com. (55)
> > >
> > > Any ideas on what could be wrong or what I'm missing here is appreciated.
> > >
> > > Regards
> > >
> > > Robby
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users@mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
