PowerDNS
PowerDNS Recursor Failing DNSSEC Resolution for Some Domains from External Clients #15898
sdiwakar123
started this conversation in
General
Replies: 1 comment
-
|
Check your ACLs: https://docs.powerdns.com/recursor/settings.html#allow-from |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi team,
I'm experiencing an issue with PowerDNS Recursor where DNS resolution for some domains (e.g., gateway.zohoassist.com) works perfectly on the server itself using dig +dnssec, but external clients (like Windows PCs) receive a "server failed" response when using the same PowerDNS recursor.
Setup:
PowerDNS Recursor version: Latest
Server LAN IP is NATTED to Public IP and A Record is also there.
Listening ports: Confirmed udp/tcp 53 are listening
DNSSEC: Enabled
dnssec=validate is configured in recursor.conf
hint-file=/usr/share/dns/root.hints is also set
Diagnostics:
From server:
dig +dnssec gateway.zohoassist.com @127.0.0.1 → OK
dig +dnssec gateway.zohoassist.com @192.168.8.54 → OK
From external Windows machine:
nslookup gateway.zohoassist.com Public IP of Server → Server failed
What I’ve Checked:
Firewall allows incoming traffic to port 53 on both TCP/UDP
Port is reachable from external client using telnet 53 (TCP)
No DNS forwarding loops
DNSSEC root hints file exists and is reachable
No DNSSEC validation failure is logged on the server side
Questions:
Is there anything specific to configure in recursor.conf for external clients and DNSSEC validation?
Could this be a NAT/UDP timeout issue from clients behind NAT?
Any logging options I should enable to get more detailed insight into why it's failing externally?
Any guidance or similar experiences would be greatly appreciated!
Thanks in advance,
Diwakar
Beta Was this translation helpful? Give feedback.
All reactions