PowerDNS zone forwarding

I have inherited a 4.0.6 powerdns deployment that is used to serve a private zone in a lab environment. I am in the process of migrating this environment to AWS and need powerdns to forward aws.internal.lan to a set of Route53 inbound resolvers. It seems that I should be able to do this by using "forward-zones-recurse" in the recursor, but I can't seem to get this to work with the current set up.

pdns.conf:

daemon=no
max-tcp-connections=1000
guardian=no
setuid=pdns
setgid=pdns
launch=gpgsql
allow-recursion=127.0.0.0/8, 10.0.0.0/8
recursor=127.0.0.1:5353
local-address=0.0.0.0
local-port=53
master=no
slave=yes
slave-cycle-interval=60
gpgsql-host=127.0.0.1
gpgsql-dbname=pdns
gpgsql-user=redacted
gpgsql-password=redacted
api-key=redacted
webserver=yes
webserver-address=0.0.0.0
webserver-port=8081

recursor.conf:

setuid=pdns-recursor
setgid=pdns-recursor
allow-from=127.0.0.0/8
local-address=127.0.0.1
local-port=5353
forward-zones-recurse=aws.internal.lan=10.162.67.202;10.162.73.199

The issue is that pdns does not forward the zone to the Route53 resolvers. I can confirm that if I do a dig @127.0.0.1 -p 5353 aws.internal.lan that the recursor returns the correct record, but I can only query the recursor from the local ns server. Shouldn't the authoritative server listening on port 53 forward that request to the recursor listening on port 5353?

It seems like this should just work, but perhaps I am missing something. I'm using an older version of pdns as you can see from my config, and I can't seem to find any documentation on this older version. Any idea what I'm doing wrong here?

You're misunderstanding how things work.

The resolver does not forward requests on to the recursor, or indeed to anywhere. The recursor, on the other hand, should be configured to forward requests for the zones managed by the resolver on to that.

Client queries should always come in to the recursor,which will then forward local zones to the resolver and resolve the others appropriately. The 'recursor' setting has no function on the resolver

On the resolver, you need settings like

forward-zones=ponyville.eq.=127.0.0.1:5353

to forward requests to the resolver (which is on port 5353, and the recursor on port 53)

There is an additional issue in that, if you have secondary servers, the resolver attempts to send out NOTIFY packets based on the NS records. If your resolver is on port 5353 then these notify packets come in to the recursor, and you need some special configuration (too complex to put here) to forward these on to the resolver. We got around this by having 2 IP addresses on the host and having the resolver on one and the recursor on the other, so no need to have different ports on the same hostname.

So, in summary,

• pdns will not forward requests anywhere
• pdns-recusor will forward your route53 requests with your setting
• pdns-recursor should be configured to forward your local zones to the resolver
• All client requests should come in to the resolver
• You will need much extra magic to handle NOTIFY packets if you want this

I have a similar question. Recursor on port 53, pdns resolver on port 54. All local clients use the recurser on port 53 and all local domains are forwarded to the resolver via forward-zones=mydomain=127.0.0.1:54 But: only local clients should be allowed to use der recurser, we dont wnat to setup a recurser for the whole world. So, how to I setup a restricted recursor (via allow-from=?) and on the other hand give a public access to our resolver?