Skip to content

August 11, 2015


PDNS Recursor: Forwarding DNS queries to local DNS Server

by Joe Kuan

I have setup two PDNS servers running in the same host; pdns_server (the authoritative server) and pdns_recursor (a recursive server).

Here are the configurations for both PDNS servers settings:








Basically, pdns_server is listening on port 53 and trying to resolve the incoming DNS queries by FIRST looking up at the DB. If no match found, it will forward the queries internally to the pdns_recursor server via specific port number, 5678. The pdns_recursor can forward query to multiple DNS servers with different filters. In this example, it is forward queries to the local primary DNS server,, and then forward to which is the secondary DNS server.

We have setup a name entry,, in the local DNS server. Then we issue a nslookup command expecting the pdns_recursor to forward the query to and returning with the DNS answer. However, for some reasons the reverse name lookup doesn’t work at all. Here is the output of the command:

root@Joe:/usr/local/etc# nslookup

** server can't find NXDOMAIN

Here are the trace logs:

pdns[25422]: Remote wants '|PTR', do = 0, bufsize = 512: packetcache MISS
pdns_recursor[25514]: 0 [1] question for '|PTR' from
pdns_recursor[25514]: [1] Looking for CNAME cache hit of '|CNAME'
pdns_recursor[25514]: [1] No CNAME cache hit of '|CNAME' found
pdns_recursor[25514]: [1] No cache hit for '|PTR', trying to find an appropriate NS record
pdns_recursor[25514]: [1] Cache consultations done, have 1 NS to contact
pdns_recursor[25514]: [1] Nameservers: (0ms)
pdns_recursor[25514]: [1] Domain is out-of-band
pdns_recursor[25514]: [1] checking auth storage for '|PTR'
pdns_recursor[25514]: [1] auth storage has data, zone=''
pdns_recursor[25514]: [1] nothing found so far in '', trying wildcards
pdns_recursor[25514]: [1] trying '*' in
pdns_recursor[25514]: [1] trying '*' in
pdns_recursor[25514]: [1] trying '*' in
pdns_recursor[25514]: [1] no NS match in zone '' either, handing out SOA
pdns_recursor[25514]: [1] accept answer '|SOA|localhost. root. 1 604800 86400 2419200 604800' from '' nameservers? YES!
pdns_recursor[25514]: [1] determining status after receiving this packet
pdns_recursor[25514]: [1] got negative caching indication for RECORD '' (accept=1)
pdns_recursor[25514]: [1] status=NXDOMAIN, we are done (have negative SOA)
pdns_recursor[25514]: [1] failed (res=3)
pdns_recursor[25514]: 0 [1] answer to question '|PTR': 0 answers, 0 additional, took 0 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3

As we can see from the above log messages, the pdns_recursor is not forwarding any queries to any DNS servers. However, if we directly query the local DNS server, the resolved name is returned as expected which indicates the name lookup entry on is correct.

root@Joe:/usr/local/etc# nslookup
Address:	name = fred.

Interestingly, it also works when we perform a normal name lookup on the recursor, just not the reverse lookup. This got me really puzzled until I added a serve-rfc1918 setting to the recursor.conf. According to RFC1918, it defines a number of IP domains as private network and is part of the setup. Since the default value for serve-rfc1918 is on, that means the recursor’s default behaviour is treating as a private network address. Therefore the recursor server won’t send the query to another server.

We turn off the serve-rfc1918 setting in the recursor.conf and restart the recursor server.


The nslookup reverse lookup command works fine with the new setting:

root@Joe:/usr/local/etc# nslookup

Non-authoritative answer:	name = fred.

Authoritative answers can be found from:

Note that serve-rfc1918 is only necessary if you require recursor server (to support multiple DNS servers) to communicate to your local DNS server which happens to be a private address. If you need only to forward queries to a single DNS server, then runs the PDNS authoritative server without the recursor server and set the recursor line to in pdns.conf.

Read more from Networking
3 Comments Post a comment
  1. cssnetworks
    Jul 4 2017

    I think this configuration isn’t possible any more. recursor= is gone in pdns 4. It doesn’t work for me anyway – Every query is refused except those for which the authoritative server has zones.

    I think it needs to be configured the other way around with the recursor listening on port 53 and then passing to the authoritative server on a non standard port like 5353.



    in pdns-recursor.conf

    and local-port=5353 in pdns.conf

    It’s what i’m about to try anyway.

    Thanks for the tip on the “dot” zone.. that didn’t occur to me, but it should give me what I need. I’m simply trying to create a recursor that I can put dummy zones in to with a friendly GUI, to block things like This is easy on a Windows DNS server :)

  2. cssnetworks
    Jul 4 2017

    actually the above didn’t quite work. it had to be :

    • Joe Kuan
      Jul 4 2017

      Sorry, I haven’t played with PDNS for years but thanks for the update. I’m sure I’ll need it in the future.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: