Ability to set dns forwarding in vrf
set service dns forwarding vrf <xxx>
Ability to set dns forwarding in vrf
set service dns forwarding vrf <xxx>
There are some issues with powerdns in vrf context.
root@r11-roll:/home/vyos# root@r11-roll:/home/vyos# sudo ip vrf exec foo /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns Jan 17 14:57:56 Unable to open /run/powerdns/recursor.conf Jan 17 14:57:56 Unable to parse configuration file '/run/powerdns/recursor.conf' Jan 17 14:57:56 Asked to run with pdns-distributes-queries set but no distributor threads, raising to 1 PowerDNS Recursor 4.5.7 (C) 2001-2021 PowerDNS.COM BV Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov 5 2021 07:36:06 by root@14d7e722ea9e. PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Enabling IPv4 transport for outgoing queries NOT using IPv6 for outgoing queries - add an IPv6 address (like '::') to query-local-address to enable Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, :: PowerDNS Recursor itself will distribute queries over threads Inserting rfc 1918 private space zones Listening for UDP queries on 127.0.0.1:53 Enabled TCP data-ready filter for (slight) DoS protection Listening for TCP queries on 127.0.0.1:53 Raised soft limit on number of filedescriptors to 4121 to match max-mthreads and threads settings Launching 1 distributor threads Launching 2 worker threads Done priming cache with root hints Enabled 'epoll' multiplexer Failed to update . records, RCODE=2 Failed to retrieve security status update for '4.5.7' on 'recursor-4.5.7.security-status.secpoll.powerdns.com': RCODE was Server Failure Failed to update . records, RCODE=2 Failed to update . records, RCODE=2
Some details here https://github.com/PowerDNS/pdns/issues/8284
Works after setting WAN interface to vrf:
root@r11-roll:/run/powerdns# sudo ip vrf exec foo /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns Jan 17 15:44:24 Only one thread, no need to distribute queries ourselves PowerDNS Recursor 4.5.7 (C) 2001-2021 PowerDNS.COM BV Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov 5 2021 07:36:06 by root@14d7e722ea9e. PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Enabling IPv4 transport for outgoing queries Enabling IPv6 transport for outgoing queries Only allowing queries from: 192.0.2.0/24 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, :: Reading zone forwarding information from 'recursor.forward-zones.conf' Done parsing 0 forwarding instructions from file 'recursor.forward-zones.conf' Inserting forward zone 'localhost' based on hosts file Inserting reverse zone '1.0.0.127.in-addr.arpa' based on hosts file Inserting forward zone 'r11-roll.vyos.local' based on hosts file Inserting forward zone 'r11-roll' based on hosts file Inserting reverse zone '1.1.0.127.in-addr.arpa' based on hosts file Inserting forward zone 'foo.local' based on hosts file Inserting reverse zone '11.122.168.192.in-addr.arpa' based on hosts file Inserting forward zone 'foo.vyos.local' based on hosts file Will not overwrite zone '11.122.168.192.in-addr.arpa' already loaded Inserting rfc 1918 private space zones Aggressive NSEC/NSEC3 caching is enabled but DNSSEC validation is not set to 'validate', 'log-fail' or 'process', ignoring Listening for UDP queries on 192.0.2.11:53 Enabled TCP data-ready filter for (slight) DoS protection Listening for TCP queries on 192.0.2.11:53 Raised soft limit on number of filedescriptors to 2073 to match max-mthreads and threads settings Operating unthreaded Done priming cache with root hints Enabled 'epoll' multiplexer Refreshed . records Polled security status of version 4.5.7, no known issues reported: OK
Doesn't work from user pdns
root@r11-roll:/run/powerdns# sudo -u pdns ip vrf exec foo /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns Failed to load BPF prog: 'Operation not permitted' root@r11-roll:/run/powerdns#
What would be the use-case? We can start PDNS in one VRF context only.
If multiple VRFs are used on the router this won't work.