It's Me, Tommy

PowerDNS Recursor

I ran into an issue where I was setting up a VPN to a GCP VPC and noticed that DNS was not working correctly. DNS worked flawlessly within any instance inside the GCP VPC itself, but not from my laptop. I should be able to ssh into any instance from my laptop. I also want to point out that I am using Google Cloud DNS, which is awesome. 

My solution was to setup an instance with PowerDNS Recurser and have clients use it to resolve DNS as if they are within the GCP VPC. Brilliant!

Quick Reference

systemctl {status,stop,start} pdns-recursor

# wipe all records for the exact name www.example.com
rec_control wipe-cache www.example.com

# wipe all cache entries for example.com
rec_control wipe-cache example.com$

Install

yum install pdns-recursor

Enable at bootup

systemctl enable pdns-recursor

View config directory

pdns_recursor --no-config --config | grep config-dir
# api-config-dir   Directory where REST API stores config and zones
# api-config-dir=
# config-dir   Location of configuration directory (recursor.conf)
# config-dir=/etc/pdns-recursor

Config file

/etc/pdns-recursor/recursor.conf

Allow access

Note: Compute Engine instances receive internal DNS resolution information as part of their DHCP leases. By default, resolution of internal DNS names is handled by the instance’s metadata server (169.254.169.254). If you change the name server configuration for your instance, you might not be able to use internal DNS names.

  • 10.0.0.0/8 is my network
  • 10.42.0.45 is my DNS Recursor IP
  • 169.254.169.254 is Google’s internal DNS nameserver
vi /etc/pdns-recursor/recursor.conf
allow-from=10.0.0.0/8
local-address=10.42.0.45
forward-zones-recurse=[YOUR_DOMAIN]=169.254.169.254,[YOUR_DOMAIN]=169.254.169.254,internal=169.254.169.254

Start

After a restart of the Recursor, it will answer queries on 10.42.0.45, but only for queries with a source address in the 10.0.0.0/8 network.

systemctl start pdns-recursor

Test DNS port

If you are not successful, check your firewall.

nc -vzu 10.42.0.45 53
found 0 associations
found 1 connections:
     1:    flags=82<CONNECTED,PREFERRED>
   outif (null)
   src 10.125.200.42 port 59471
   dst 10.42.0.45 port 53
   rank info not available

Connection to 10.42.0.45 port 53 [udp/domain] succeeded!

Test DNS

I recommend that you test against an internal only hostname. I’m just using itsmetommy.com as an example. 

dig itsmetommy.com @10.42.0.45

; <<>> DiG 9.10.6 <<>> itsmetommy.com @10.42.0.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62947
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;itsmetommy.com.         IN A

;; ANSWER SECTION:
itsmetommy.com.       60 IN A  67.188.56.145

;; Query time: 184 msec
;; SERVER: 10.42.0.45#53(10.42.0.45)
;; WHEN: Thu Dec 13 21:07:13 PST 2018
;; MSG SIZE  rcvd: 59

Tommy Elmesewdy

, ,
, , ,