Page MenuHomeVyOS Platform
Create Task
Maniphest T4189

Ability to set dns forwarding in vrf
Closed, WontfixPublicFEATURE REQUEST
Actions

Description

Ability to set dns forwarding in vrf

set service dns forwarding vrf <xxx>

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Viacheslav created this task.Jan 17 2022, 11:02 AM
pasik added a subscriber: pasik.Jan 17 2022, 11:08 AM
Viacheslav added a comment.EditedJan 17 2022, 12:59 PM

There are some issues with powerdns in vrf context.

root@r11-roll:/home/vyos# 
root@r11-roll:/home/vyos# sudo ip vrf exec foo /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns 
Jan 17 14:57:56 Unable to open /run/powerdns/recursor.conf
Jan 17 14:57:56 Unable to parse configuration file '/run/powerdns/recursor.conf'
Jan 17 14:57:56 Asked to run with pdns-distributes-queries set but no distributor threads, raising to 1
PowerDNS Recursor 4.5.7 (C) 2001-2021 PowerDNS.COM BV
Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov  5 2021 07:36:06 by root@14d7e722ea9e.
PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Enabling IPv4 transport for outgoing queries
NOT using IPv6 for outgoing queries - add an IPv6 address (like '::') to query-local-address to enable
Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
PowerDNS Recursor itself will distribute queries over threads
Inserting rfc 1918 private space zones
Listening for UDP queries on 127.0.0.1:53
Enabled TCP data-ready filter for (slight) DoS protection
Listening for TCP queries on 127.0.0.1:53
Raised soft limit on number of filedescriptors to 4121 to match max-mthreads and threads settings
Launching 1 distributor threads
Launching 2 worker threads
Done priming cache with root hints
Enabled 'epoll' multiplexer
Failed to update . records, RCODE=2
Failed to retrieve security status update for '4.5.7' on 'recursor-4.5.7.security-status.secpoll.powerdns.com': RCODE was Server Failure
Failed to update . records, RCODE=2
Failed to update . records, RCODE=2

Some details here https://github.com/PowerDNS/pdns/issues/8284

Works after setting WAN interface to vrf:

root@r11-roll:/run/powerdns# sudo ip vrf exec foo /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns
Jan 17 15:44:24 Only one thread, no need to distribute queries ourselves
PowerDNS Recursor 4.5.7 (C) 2001-2021 PowerDNS.COM BV
Using 64-bits mode. Built using gcc 10.2.1 20210110 on Nov  5 2021 07:36:06 by root@14d7e722ea9e.
PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Enabling IPv4 transport for outgoing queries
Enabling IPv6 transport for outgoing queries
Only allowing queries from: 192.0.2.0/24
Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
Reading zone forwarding information from 'recursor.forward-zones.conf'
Done parsing 0 forwarding instructions from file 'recursor.forward-zones.conf'
Inserting forward zone 'localhost' based on hosts file
Inserting reverse zone '1.0.0.127.in-addr.arpa' based on hosts file
Inserting forward zone 'r11-roll.vyos.local' based on hosts file
Inserting forward zone 'r11-roll' based on hosts file
Inserting reverse zone '1.1.0.127.in-addr.arpa' based on hosts file
Inserting forward zone 'foo.local' based on hosts file
Inserting reverse zone '11.122.168.192.in-addr.arpa' based on hosts file
Inserting forward zone 'foo.vyos.local' based on hosts file
Will not overwrite zone '11.122.168.192.in-addr.arpa' already loaded
Inserting rfc 1918 private space zones
Aggressive NSEC/NSEC3 caching is enabled but DNSSEC validation is not set to 'validate', 'log-fail' or 'process', ignoring
Listening for UDP queries on 192.0.2.11:53
Enabled TCP data-ready filter for (slight) DoS protection
Listening for TCP queries on 192.0.2.11:53
Raised soft limit on number of filedescriptors to 2073 to match max-mthreads and threads settings
Operating unthreaded
Done priming cache with root hints
Enabled 'epoll' multiplexer
Refreshed . records
Polled security status of version 4.5.7, no known issues reported: OK

Doesn't work from user pdns

root@r11-roll:/run/powerdns# sudo -u pdns ip vrf exec foo /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns
Failed to load BPF prog: 'Operation not permitted'
root@r11-roll:/run/powerdns#
c-po added a subscriber: c-po.Jan 18 2022, 5:40 AM

What would be the use-case? We can start PDNS in one VRF context only.

If multiple VRFs are used on the router this won't work.

Viacheslav closed this task as Wontfix.Jan 20 2024, 10:44 AM
Viacheslav claimed this task.

It does not make sense to use it only in one VRF