Recursive DNS queries
What is a recursive DNS query?
When we tested our DNS server configuration in the previous chapter the more astute reader may have noticed the following line in the output of the dig application indicating that the DNS server does not allow recursion.
;; WARNING: recursion requested but not available
While this message is very clear about the fact that recursion was requested but was not available what may be less clear is exactly what recursion is. In simple terms whenever a DNS server receives a query which it cannot answer directly from its own database it has two choices. It can either return a response informing us that it us unable to answer the query, which is what the PowerDNS daemon will do in its current configuration, or it can ask another server to see if it knows the answer. The process of answering a DNS query which is not stored locally is referred to as recursion because the resolver will have to ask several other servers, in a recursive algorithm, starting with the root servers to obtain an answer.
To put things even more succinctly a recursive query is any DNS query which cannot be resolved by the DNS server from its local database and as the PowerDNS daemon is currently set to deny recursive query requests we are thus unable to resolve any queries which do not purport to our domains. Clearly this is an unacceptable situation to leave ourselves in so we need to configure the PowerDNS daemon to allow recursive queries.
Configuring PowerDNS to use an external recursor
The simplest method of instructing the PowerDNS daemon to allow recursive queries is to add a section to the PowerDNS configuration file similar to the one shown below. This example will allow access to the recursor to all hosts on the 10.0.0.0/8 and 192.168.0.0/16 networks and will forward all recursive queries it receives to an external recursor at 80.58.61.250, which should be replaced with the IP address of a public DNS resolver such as those provided by your Internet Service Provider.
# Recursion settings
allow-recursion=10.0.0.0/8,192.168.0.0/16
recursor=80.58.61.250
lazy-recursion=yes
Once the above entries have been added to the PowerDNS configuration file the daemon can be instructed to reload the configuration file, and thus use the setting we have just added, by issuing the following command.
You should now have access to the normal DNS resolution services which you are probably used to, which is a good thing as we shall need to be able to resolve host names to IP addresses to continue with this guide.
Configuring PowerDNS to use an internal recursor
Whilst it is often perfectly acceptable to use public DNS recursors there are times when it may be more appropriate to use an internal DNS recursor instead.
The PowerDNS daemon does not provide a recursor by default so first we need install the package. Once the package has been installed we can start it manually so that it is running now and add it to the default run-level, so that it will be started automatically after boot. The three commands below will accomplish these tasks.
lisa ~ # /etc/init.d/precursor start
lisa ~ # rc-update add precursor default
Now that the PowerDNS recursor is running we can modify the configuration of the resolver so that it will direct recursive queries to the internal recursor, which by default runs on the local loop-back address, instead of the public DNS recursor we used earlier. The relevant changes to this file are shown below.
# Recursion settings
allow-recursion=10.0.0.0/8,192.168.0.0/16
recursor=80.58.61.250
recursor=127.0.0.1
lazy-recursion=yes
With the configuration modifications complete all that remains is to instruct the PowerDNS daemon to reload the configuration file and thus start using our internal recursor to answer recursive queries. As before this can be done using the following command.