my pdns_recursor setup includes this
forward-zones=net=127.0.0.1:5353;8.8.8.8
where at 127.0.0.1:5353 listens my own DNS server that acts as a filter on all DNS requests under .net zone. When my DNS server thinks a request should be blocked, it returns the IP of a blocking page to pdns_recursor. If not, it returns NXDOMAIN to pdns_recursor.
My understanding about pdns_recursor is that it will continue to forward the DNS request to 8.8.8.8 in case it receives NXDOMAIN from my own DNS server. This way, unblocked requests would reach to their destinations via Google DNS. However, the client always sees either the blocking page or NXDOMAIN message from pdns_recursor!
What am I missing here?
Thanks a lot!
NXDOMAINis a perfectly good answer to a DNS query, and there is no reason for PowerDNS to try another server when it has already received an answer. In fact, RFC1034 says that a recursor should keep asking servers until it receives "a response". Assuming that PowerDNS follows the RFCs, any response from your filter thingy will be passed on to the user. So if you want the query passed on to the next server in the list, your filter thingy must not answer at all. In which case all your users will instead have to wait for a timeout on all non-blocked queries before they get passed on to Google, which will likely annoy them a lot.