Since dnsmasq was replaced with PowerDNS Recursor, recursive domain name resolution for explicitly configured forwarders for a particular domain does not function as expected.
That is, it doesn't behave how dnsmasq does.
Example:
With the following configuration, we see the expected recursive resolver behaviour:
VyOS gateway:
service { dns { forwarding { cache-size 1024 name-server 2606:4700:4700::1111 name-server 2606:4700:4700::1001 name-server 1.1.1.1 name-server 1.0.0.1 } } }
Host:
$ dig +short foo.com 23.23.86.44 $ dig +short www.foo.com newdigiadmin-1201528726.us-east-1.elb.amazonaws.com. 54.165.87.12 52.73.176.251
But with explicit forwarders set for foo.com, only the origin and none subdomain records can be resolved:
VyOS gateway:
service { dns { forwarding { cache-size 1024 name-server 2606:4700:4700::1111 name-server 2606:4700:4700::1001 name-server 1.1.1.1 name-server 1.0.0.1 domain foo.com { server 172.23.1.25 server 172.23.1.28 } } } }
Host:
$ dig +short foo.com 1.2.3.4 $ dig +short www.foo.com foo.com. $ dig +short www.subdomain.foo.com $ dig +short some.host.subdomain.foo.com $
The old behaviour in dnsmasq was to use the specified forwarder for all recursive requests associated with the domain.
For example:
Host:
$ dig +short foo.com 1.2.3.4 $ dig +short www.foo.com foo.com. $ dig +short www.subdomain.foo.com 1.2.3.4 $ dig +short some.host.subdomain.foo.com 3.4.5.6