Summary

Allow for specification of the dont-query parameter for PowerDNS.

Use case

When running a DNS server behind the Vyos PowerDNS forwarder, if the DNS server has delegated a subzone to another DNS on the internal network, PowerDNS will refuse to query the internally delegated nameserver, as per the default dont-query parameter:

Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32

Note: When an NS record for a subzone is learned and the IP address for that nameserver is included in the IP ranges in dont-query, SERVFAIL is returned.

In short, if there are two DNS servers, on a private subnet, such as 10.0.0.0/8, and one has delegated a part of a zone to the other, PowerDNS will refuse to query it, unless the dont-query parameter is changed.

Additional information

Reference: https://doc.powerdns.com/recursor/settings.html?highlight=dont%20query#dont-query