Hosting backend does not support editing records. In which of the three services and which option do i use to fix this?

[SpiderUnderUrBed]

In which of the three services and which option do i use to fix this? i am trying to use pebble as a local CA and i need to set it up with dns, as in it asks the dns for the zone, before it registers it under my local CA

the reason why i made the issue here is because allow-dnsupdate and allow-dnsupdate-from are options to configure editing records right? well under every single service i tried adding those options and they crashed, can someone please try and see if its repoducable?

spiderunderurbed@raspberrypi:~ $ lego --dns pdns --email <HIDDEN>@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/17 14:27:01 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/RYusSun6pHPIQBpTB2BlxBhhk5m2M5Ymgy6JawCCUCg 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Could not find solver for: http-01 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: use dns-01 solver 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Preparing to solve DNS-01 2024/05/17 14:27:01 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/17 14:27:01 [WARN] [spidershomelab.net] acme: cleaning up failed: pdns: no existing record found for _acme-challenge.spidershomelab.net. 2024/05/17 14:27:01 [INFO] Deactivating auth: https://localhost:14000/authZ/RYusSun6pHPIQBpTB2BlxBhhk5m2M5Ymgy6JawCCUCg 2024/05/17 14:27:01 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] [spidershomelab.net] acme: error presenting token: pdns: error talking to PDNS API: Hosting backend does not support editing records.
Here is my docker compose:
https://pastebin.com/dTiAknUJ

if there is any extra info needed please ask

[pschiffe]

Hello @SpiderUnderUrBed. I don't have much experience with pebble, not sure how to use it. To your question, I think you only need either pdns-mysql or pdns-pgsql depending on the DB. These are authoritative servers with API, and can respond only to DNS questions about the zones they host - the zones they are authoritative to.

pdns-recursor is only a recursive DNS resolver that can answer DNS questions about any zone (depends on configuration), but it cannot host any zone, it's not authoritative DNS server.

Looking at your compose file, first try to put pebble and pdns (image: pschiffe/pdns-mysql) into the same docker network, and try to make it work like that. Only after that I would try to separate the networks or add a pdns recursor.

Other than that, the configuration for pdns looks okeyish.

[SpiderUnderUrBed]

Thank you for your quick response, currently I am trying out manually adding the zone acme-challenge.spidershomelab.net, but that might not work as I dont have anything to respond to the challange,

Strictly related to PowerDNS, we can forget about what im trying to do, the point is, a challange to issue a cert over your domain just wont work if powerdns is my authoritative nameserver for my domain, unless i can figure out a way to let services edit my records, so currently i am trying to find a setting that does that, I have tried adding pebble and my powerdns backend to the same network as you said, but this doesnt solve the issue, this issue has been mentioned before here:
PowerDNS-Admin/PowerDNS-Admin#883
It could have something to do with the readonly nature of a powerdns, (if powerdns is readonly in any way or if its some weird docker quirk) but i dont know how exactly that problem arises and how to get around that, i assumed when i gave it my api key it could just create records, i mean, i can create records from the powerdns admin UI, and it uses pdns-mysql as the backend/api, why cant lego? I was wondering if this falls under the domain of this project or if i should take it up with the developers of powerdns or lego, unless you know of a setting that will make records, changable.
I suspected allow-dnsupdate and allow-dnsupdate-from would work, and although i no longer get a error with it, it does not solve my original issue.

[pschiffe]

Pdns server has an API where you can edit records, in general it works (for example, the powerdns web admin is also using the API). You can try to test it with curl, more info: https://doc.powerdns.com/authoritative/http-api/

I noticed that you are also using the bind backend in your docker compose file - PDNS_bind-config=/bind.conf; could it be that the pdns server doesn't know how to edit this file, or it doesn't have write permissions to the file or something?

Aha - yeah, you cannot update records from the bind backend:
https://doc.powerdns.com/authoritative/backends/
https://doc.powerdns.com/authoritative/dnsupdate.html

[SpiderUnderUrBed]

Ah. I wondered if it had anything to do with bind and i thought that, if it couldnt edit bind, it will edit the sql backend, since i have them both on the same authoritive nameserver, I guess i'll need to try and get my resolver to use two authoritve nameservers? This might not be ideal however, as for my admin UI, i can only use one as the backend, any suggestions? I would like to keep both my BIND and SQL backend

[pschiffe]

Well, I think you can still have both backends in the single pdns server. Just the zones, you want to edit via API, must be present in the sql backend. I mean the whole zone must be present in the sql backend, and you will have to move it there beforehand manually.

If you want to edit records of all (or most) zones which you have currently in the bind file - that could be doable with 2 authoritative servers and a recursor, but you would have to configure the delegation correctly with NS records in the bind zones. That could get really messy.

Rather than that, I would maybe suggest a script such as https://doc.powerdns.com/authoritative/manpages/zone2sql.1.html and automate conversion of bind file to sql.

[SpiderUnderUrBed]

I will close this issue soon, I am aware that this isnt strictly related to the docker port of powerdns (or unlikely) but i have one more issue, this possibly is related to the project.

command:
lego --dns pdns --email SpiderUnderUrBed@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run
Error:
2024/05/22 19:15:26 [INFO] [spidershomelab.net] acme: Waiting for DNS record propagation. 2024/05/22 19:15:28 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/22 19:15:28 [INFO] Deactivating auth: https://localhost:14000/authZ/-unszpQ3heXcBWajI9XIfMaC8uf7PtD_Kis2tslB7YE 2024/05/22 19:15:28 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] time limit exceeded: last error: NS ns1.spidershomelab.net. returned NXDOMAIN for _acme-challenge.spidershomelab.net. root@raspberrypi:~#

So, as you can see, lego or certbot can create the _acme-challange subdomain for my domain spidershomelab.net, but it cannot read from it or dig from it, the error i just posted was my attempt at the DNS-01 challange, but i get a simular resolve when doing the HTTP-01 challange.
As seen here:
root@raspberrypi:~# lego --dns pdns --email SpiderUnderUrBed@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos --http --http.port=:8082 run 2024/05/22 16:31:01 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/22 16:31:01 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/kjijkZlg6XxiAm6Oq5k7L8TBAJDwUCIrUeqPjP9J_h8 2024/05/22 16:31:01 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/22 16:31:01 [INFO] [spidershomelab.net] acme: use http-01 solver 2024/05/22 16:31:01 [INFO] [spidershomelab.net] acme: Trying to solve HTTP-01 2024/05/22 16:31:06 [INFO] Deactivating auth: https://localhost:14000/authZ/kjijkZlg6XxiAm6Oq5k7L8TBAJDwUCIrUeqPjP9J_h8 2024/05/22 16:31:06 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: The key authorization file from the server did not match this challenge "rIxoWF0ktRxmuWK1ApFiCrHvVfLWF-KM6zkaADRE6rs.IqV2mTnUX2OA1GgkBmfsWa01TZm3OIOJhnByjNf4S1E" != "" root@raspberrypi:~#

I have posted a issue on this at the letsencrypt forums, but its unusual that it can create a txt record and i cant use something like dig to see the record, and it returns NXDOMAIN, I think it might have something to do with powerdns because of this weird way of functioning. Correct me if im wrong.

[pschiffe]

It may be related to the DNS resolver your system is using. Does it know about your authoritative server? You can create the record, because it's using PDNS API, but to be able to dig it, the DNS resolver of the system must be aware of your master DNS. When you run these two commands from the same bash you run the lego commands, what do you see?

$ dig _acme-challenge.spidershomelab.net txt
...
$ dig _acme-challenge.spidershomelab.net txt @192.168.68.77

[SpiderUnderUrBed]

Well when the challange isnt running, both commands returns NXDOMAIN, I opened another terminal, then sshed into my raspberry pi to run those commands while the challange was ongoing and i got this:

; <<>> DiG 9.18.24-1-Debian <<>> _acme-challenge.spidershomelab.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6412
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.spidershomelab.net. IN TXT

;; AUTHORITY SECTION:
spidershomelab.net.     1396    IN      SOA     a.misconfigured.dns.server.invalid. hostmaster.spidershomelab.net. 2024052230 10800 3600 604800 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed May 22 23:19:28 NZST 2024
;; MSG SIZE  rcvd: 144

spiderunderurbed@raspberrypi:~ $  dig _acme-challenge.spidershomelab.net txt @192.168.68.77

; <<>> DiG 9.18.24-1-Debian <<>> _acme-challenge.spidershomelab.net txt @192.168.68.77
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39628
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.spidershomelab.net. IN TXT

;; AUTHORITY SECTION:
spidershomelab.net.     1388    IN      SOA     a.misconfigured.dns.server.invalid. hostmaster.spidershomelab.net. 2024052230 10800 3600 604800 3600

;; Query time: 3 msec
;; SERVER: 192.168.68.77#53(192.168.68.77) (UDP)
;; WHEN: Wed May 22 23:19:36 NZST 2024
;; MSG SIZE  rcvd: 144

spiderunderurbed@raspberrypi:~ $ 

I was up to this point in the command execution:
https://pastebin.com/hHniV6Wc
But it should have made the subdomain before the first "Waiting for dns propergation" message,
Here is probably the important bit:

spiderunderurbed@raspberrypi:~ $ dig _acme-challenge.spidershomelab.net txt @172.31.53.6 -p 53

; <<>> DiG 9.18.24-1-Debian <<>> _acme-challenge.spidershomelab.net txt @172.31.53.6 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56815
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.spidershomelab.net. IN TXT

;; ANSWER SECTION:
_acme-challenge.spidershomelab.net. 120 IN TXT  "Ahco7BkVQqhgbtVVD4um-OXo7PPaXQmZvwlQnlEgv14"
_acme-challenge.spidershomelab.net. 120 IN TXT  "XgvsNHD8avyJf2hatuars6ZFv-dXLr4EfhnkC6WcCug"

;; Query time: 3 msec
;; SERVER: 172.31.53.6#53(172.31.53.6) (UDP)
;; WHEN: Wed May 22 23:25:13 NZST 2024
;; MSG SIZE  rcvd: 175

spiderunderurbed@raspberrypi:~ $ 

172.31.53.6 is the IP i given to my backend (pdns-mysql), so for some reason, my recursor must not be forwarding it to my backend? like what you said, it isnt aware of my authoritative server. Or something like that. I could specify the port to my dns server with lego (maybe the ip, i havent looked into that) with rfc2136.ini maybee. If powerdns could work with that. But ill wait to see what you can suggest, as it might be simpler than what i had in mind with rfc2136.

[pschiffe]

OK, I see. The 172.31.53.6 IP is the IP of the docker container I believe. It's good to know that works. Maybe you could use that directly? I see lego has option --dns.resolvers 172.31.53.6:53

If that won't work, you may have to configure your local resolver to support the master DNS. What's in your /etc/resolv.conf?

[SpiderUnderUrBed]

So, i am pretty sure that even if you do specify dns.resolvers to be a certain value, somewhere down the line it will check with ns1. for some information, over the last hour I have been testing changing the data of ns1.spidershomelab.net to get it to resolve to diffrent thing:
spiderunderurbed@raspberrypi:~ $ lego --dns pdns --email SpiderUnderUrBed@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run 2024/05/23 01:34:17 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/23 01:34:17 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/4f0iWNi7uUXyKRexs4h9npkiU8uFOqU9gG49yQslIr8 2024/05/23 01:34:17 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/23 01:34:17 [INFO] [spidershomelab.net] acme: Could not find solver for: http-01 2024/05/23 01:34:17 [INFO] [spidershomelab.net] acme: use dns-01 solver 2024/05/23 01:34:17 [INFO] [spidershomelab.net] acme: Preparing to solve DNS-01 2024/05/23 01:34:18 [INFO] [spidershomelab.net] acme: Trying to solve DNS-01 2024/05/23 01:34:18 [INFO] [spidershomelab.net] acme: Checking DNS record propagation using [127.0.0.1:53] 2024/05/23 01:34:20 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2024/05/23 01:34:20 [INFO] [spidershomelab.net] acme: Cleaning DNS-01 challenge 2024/05/23 01:34:20 [INFO] Deactivating auth: https://localhost:14000/authZ/4f0iWNi7uUXyKRexs4h9npkiU8uFOqU9gG49yQslIr8 2024/05/23 01:34:20 Could not obtain certificates: error: one or more domains had a problem: [spidershomelab.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT records found for DNS challenge

This is the error I get if i set ns1.spidershomelab.net to 172.31.53.6
spiderunderurbed@raspberrypi:~ $ lego --dns pdns --email SpiderUnderUrBed@proton.me --domains spidershomelab.net --server https://localhost:14000/dir --accept-tos run 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: Obtaining bundled SAN certificate 2024/05/23 01:35:44 [INFO] [spidershomelab.net] AuthURL: https://localhost:14000/authZ/02zsePSqItmSu6TY5vGivdHfy5WeBJv09qDCLLxEzgI 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: Could not find solver for: tls-alpn-01 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: Could not find solver for: http-01 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: use dns-01 solver 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: Preparing to solve DNS-01 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: Trying to solve DNS-01 2024/05/23 01:35:44 [INFO] [spidershomelab.net] acme: Checking DNS record propagation using [127.0.0.1:53] 2024/05/23 01:35:46 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s] 2024/05/23 01:35:46 [INFO] [spidershomelab.net] acme: Waiting for DNS record propagation. 2024/05/23 01:35:48 [INFO] [spidershomelab.net] acme: Waiting for DNS record propagation. 2024/05/23 01:35:50 [INFO] [spidershomelab.net] acme: Waiting for DNS record propagation.

This is the error I get if i set ns1.spidershomelab.net too 192.168.68.77, it will continue waiting for dns record propergation until it fails

The issue here is consistency, lego needs to be able to put the subdomain in the same resolver, and ns1.spidershomelab.net needs to be able to access the txt record, also I dont know if it can make a txt record in the authoritive nameserver and requires that it be made in the backend, which makes this thing so confusing.
Do i need to add some extra configuration to powerdns? do i need another dns server (oh for gods sake please no) ?

Maybe its the ip's that im trying out is wrong, I would apprecite your input

[Edit]
Also my resolv.conf:
#nameserver 8.8.8.8
nameserver 127.0.0.1
#nameserver 100.100.100.100

[pschiffe]

If this works, $ dig _acme-challenge.spidershomelab.net txt @172.31.53.6 -p 53 I think the PDNS API and lego works fine.

Your objective is to make this work: $ dig _acme-challenge.spidershomelab.net txt. You can create some other testing TXT record in the meantime, so it's there all the time.

What DNS resolver are you running? sudo lsof -i UDP -n | grep 53
What's the IP of the host?
What's the difference between 192.168.68.77 and 100.71.106.52?

[SpiderUnderUrBed]

First (I added a empty _acme-challange):

spiderunderurbed@raspberrypi:~ $ dig _acme-challenge.spidershomelab.net txt @172.31.53.6 -p 53

; <<>> DiG 9.18.24-1-Debian <<>> _acme-challenge.spidershomelab.net txt @172.31.53.6 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31861
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.spidershomelab.net. IN TXT

;; ANSWER SECTION:
_acme-challenge.spidershomelab.net. 120 IN TXT  ""

;; Query time: 15 msec
;; SERVER: 172.31.53.6#53(172.31.53.6) (UDP)
;; WHEN: Thu May 23 02:23:26 NZST 2024
;; MSG SIZE  rcvd: 76

spiderunderurbed@raspberrypi:~ $ dig _acme-challenge.spidershomelab.net txt.

; <<>> DiG 9.18.24-1-Debian <<>> _acme-challenge.spidershomelab.net txt.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.spidershomelab.net. IN A

;; AUTHORITY SECTION:
spidershomelab.net.     1031    IN      SOA     a.misconfigured.dns.server.invalid. hostmaster.spidershomelab.net. 2024052324 10800 3600 604800 3600

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu May 23 02:23:36 NZST 2024
;; MSG SIZE  rcvd: 144

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3419
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;txt.                           IN      A

;; AUTHORITY SECTION:
.                       2971    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024052200 1800 900 604800 86400

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu May 23 02:23:36 NZST 2024
;; MSG SIZE  rcvd: 107

spiderunderurbed@raspberrypi:~ $ 

2nd:
spiderunderurbed@raspberrypi:~ $ sudo lsof -i UDP -n | grep 53 avahi-dae 536 avahi 12u IPv4 4802 0t0 UDP *:mdns avahi-dae 536 avahi 13u IPv6 4803 0t0 UDP *:mdns avahi-dae 536 avahi 14u IPv4 4804 0t0 UDP *:35259 avahi-dae 536 avahi 15u IPv6 4805 0t0 UDP *:59996 tailscale 916 root 28u IPv4 7603908 0t0 UDP *:53996 nmbd 2635 root 44u IPv4 16653 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 53u IPv4 37805 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 92u IPv4 37844 0t0 UDP 172.31.53.1:netbios-ns nmbd 2635 root 93u IPv4 37845 0t0 UDP 172.31.53.255:netbios-ns nmbd 2635 root 94u IPv4 37846 0t0 UDP 172.31.53.1:netbios-dgm nmbd 2635 root 95u IPv4 37847 0t0 UDP 172.31.53.255:netbios-dgm nmbd 2635 root 132u IPv4 4355721 0t0 UDP 169.254.53.43:netbios-ns nmbd 2635 root 134u IPv4 4355723 0t0 UDP 169.254.53.43:netbios-dgm nmbd 2635 root 153u IPv4 4355742 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 204u IPv4 4560053 0t0 UDP 169.254.142.203:netbios-ns nmbd 2635 root 253u IPv4 4603721 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 285u IPv4 4603753 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 304u IPv4 7375344 0t0 UDP 169.254.3.18:netbios-ns nmbd 2635 root 305u IPv4 7375345 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 306u IPv4 7375346 0t0 UDP 169.254.3.18:netbios-dgm nmbd 2635 root 307u IPv4 7375347 0t0 UDP 169.254.255.255:netbios-dgm nmbd 2635 root 341u IPv4 7167953 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 353u IPv4 7167965 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 372u IPv4 7375348 0t0 UDP 169.254.6.215:netbios-ns nmbd 2635 root 373u IPv4 7375349 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 374u IPv4 7375350 0t0 UDP 169.254.6.215:netbios-dgm nmbd 2635 root 375u IPv4 7375351 0t0 UDP 169.254.255.255:netbios-dgm nmbd 2635 root 376u IPv4 7375352 0t0 UDP 169.254.17.199:netbios-ns nmbd 2635 root 377u IPv4 7375353 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 378u IPv4 7375354 0t0 UDP 169.254.17.199:netbios-dgm nmbd 2635 root 379u IPv4 7375355 0t0 UDP 169.254.255.255:netbios-dgm nmbd 2635 root 423u IPv4 7373530 0t0 UDP 169.254.255.255:netbios-dgm nmbd 2635 root 424u IPv4 7373531 0t0 UDP 169.254.236.157:netbios-ns nmbd 2635 root 425u IPv4 7373532 0t0 UDP 169.254.255.255:netbios-ns nmbd 2635 root 426u IPv4 7373533 0t0 UDP 169.254.236.157:netbios-dgm nmbd 2635 root 427u IPv4 7373534 0t0 UDP 169.254.255.255:netbios-dgm nmbd 2635 root 428u IPv4 7373535 0t0 UDP 172.28.0.1:netbios-ns nmbd 2635 root 429u IPv4 7373536 0t0 UDP 172.28.255.255:netbios-ns nmbd 2635 root 430u IPv4 7373537 0t0 UDP 172.28.0.1:netbios-dgm nmbd 2635 root 431u IPv4 7373538 0t0 UDP 172.28.255.255:netbios-dgm nmbd 2635 root 432u IPv4 7373539 0t0 UDP 172.29.0.1:netbios-ns docker-pr 1311421 root 3u IPv4 7599966 0t0 UDP 172.31.53.1:56823->172.31.53.3:domain docker-pr 1311421 root 4u IPv4 7351653 0t0 UDP *:domain docker-pr 1311421 root 8u IPv4 7603890 0t0 UDP 172.31.53.1:41021->172.31.53.3:domain docker-pr 1311421 root 9u IPv4 7603891 0t0 UDP 172.31.53.1:33804->172.31.53.3:domain docker-pr 1311421 root 10u IPv4 7601869 0t0 UDP 172.31.53.1:40739->172.31.53.3:domain docker-pr 1311421 root 11u IPv4 7596942 0t0 UDP 172.31.53.1:44046->172.31.53.3:domain docker-pr 1311421 root 12u IPv4 7599967 0t0 UDP 172.31.53.1:49365->172.31.53.3:domain docker-pr 1311421 root 13u IPv4 7600957 0t0 UDP 172.31.53.1:51068->172.31.53.3:domain docker-pr 1311421 root 14u IPv4 7604251 0t0 UDP 172.31.53.1:52842->172.31.53.3:domain docker-pr 1311421 root 15u IPv4 7604252 0t0 UDP 172.31.53.1:49609->172.31.53.3:domain docker-pr 1311421 root 16u IPv4 7603723 0t0 UDP 172.31.53.1:33010->172.31.53.3:domain docker-pr 1311421 root 17u IPv4 7603889 0t0 UDP 172.31.53.1:46594->172.31.53.3:domain docker-pr 1311421 root 18u IPv4 7597844 0t0 UDP 172.31.53.1:52047->172.31.53.3:domain docker-pr 1311421 root 19u IPv4 7599711 0t0 UDP 172.31.53.1:51537->172.31.53.3:domain docker-pr 1311421 root 20u IPv4 7599712 0t0 UDP 172.31.53.1:50799->172.31.53.3:domain docker-pr 1311421 root 21u IPv4 7600150 0t0 UDP 172.31.53.1:47093->172.31.53.3:domain docker-pr 1311421 root 22u IPv4 7599991 0t0 UDP 172.31.53.1:36653->172.31.53.3:domain docker-pr 1311421 root 23u IPv4 7600031 0t0 UDP 172.31.53.1:49965->172.31.53.3:domain docker-pr 1311421 root 24u IPv4 7600032 0t0 UDP 172.31.53.1:46058->172.31.53.3:domain docker-pr 1311421 root 25u IPv4 7601460 0t0 UDP 172.31.53.1:43433->172.31.53.3:domain docker-pr 1311421 root 26u IPv4 7600401 0t0 UDP 172.31.53.1:51944->172.31.53.3:domain docker-pr 1311421 root 27u IPv4 7603724 0t0 UDP 172.31.53.1:53025->172.31.53.3:domain docker-pr 1311421 root 28u IPv4 7605271 0t0 UDP 172.31.53.1:60401->172.31.53.3:domain docker-pr 1311421 root 29u IPv4 7605273 0t0 UDP 172.31.53.1:39800->172.31.53.3:domain docker-pr 1311421 root 30u IPv4 7603896 0t0 UDP 172.31.53.1:47731->172.31.53.3:domain docker-pr 1311421 root 33u IPv4 7602348 0t0 UDP 172.31.53.1:58242->172.31.53.3:domain docker-pr 1311421 root 34u IPv4 7601481 0t0 UDP 172.31.53.1:41485->172.31.53.3:domain docker-pr 1311421 root 35u IPv4 7600049 0t0 UDP 172.31.53.1:51451->172.31.53.3:domain docker-pr 1311421 root 45u IPv4 7601485 0t0 UDP 172.31.53.1:54346->172.31.53.3:domain docker-pr 1311421 root 46u IPv4 7602375 0t0 UDP 172.31.53.1:52406->172.31.53.3:domain docker-pr 1311421 root 47u IPv4 7601486 0t0 UDP 172.31.53.1:58605->172.31.53.3:domain docker-pr 1311421 root 48u IPv4 7600064 0t0 UDP 172.31.53.1:32809->172.31.53.3:domain docker-pr 1311421 root 49u IPv4 7601503 0t0 UDP 172.31.53.1:39425->172.31.53.3:domain docker-pr 1311421 root 50u IPv4 7603211 0t0 UDP 172.31.53.1:33438->172.31.53.3:domain docker-pr 1311421 root 51u IPv4 7603212 0t0 UDP 172.31.53.1:52208->172.31.53.3:domain docker-pr 1312809 root 4u IPv4 7359643 0t0 UDP 127.0.0.1:5300
3rd and 4th:
Local ip is 192.168.68.77, it doesnt have a unique public ip that refers to that machine ofc, they do, have a ip within a VLAN (or what i assume is a vlan) given by tailscale (maybe not a vlan because you can ping it publically), I tried adding it as my public resolver so all queries go through 100.71.106.52:53, but tailscale is a bit strict on what ports can be used on their ips, so it just times out. So ideally id like to remove all refrences of 100.71.106.52 from anything dns related. 192.168.68.77 is accessible to other machines by sharing routes, but thats iirelevent, 192.168.68.77 is the devices ip within my local network

EDIT:
Also, as a note, adding: 172.31.53.6 as a nameserver in my resolv.conf didnt help because when i try and dig a domain with it: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 42195 so i removed it

[pschiffe]

Sorry, could you try this command pls? sudo lsof -i UDP -nP | grep ':53' (forgot -P)

[SpiderUnderUrBed]

Pastbin is cleaner:
https://pastebin.com/j3UcELLh

spiderunderurbed@raspberrypi:~ $ sudo lsof -i UDP -nP | grep ':53' avahi-dae 536 avahi 12u IPv4 4802 0t0 UDP *:5353 avahi-dae 536 avahi 13u IPv6 4803 0t0 UDP *:5353 docker-pr 1311421 root 3u IPv4 8724628 0t0 UDP 172.31.53.1:52599->172.31.53.3:53 docker-pr 1311421 root 4u IPv4 7351653 0t0 UDP *:53 docker-pr 1311421 root 8u IPv4 8722038 0t0 UDP 172.31.53.1:51348->172.31.53.3:53 docker-pr 1311421 root 9u IPv4 8722045 0t0 UDP 172.31.53.1:53826->172.31.53.3:53 docker-pr 1311421 root 10u IPv4 8722118 0t0 UDP 172.31.53.1:39701->172.31.53.3:53 docker-pr 1311421 root 11u IPv4 8722125 0t0 UDP 172.31.53.1:41244->172.31.53.3:53 docker-pr 1311421 root 12u IPv4 8724629 0t0 UDP 172.31.53.1:54110->172.31.53.3:53 docker-pr 1311421 root 13u IPv4 8722132 0t0 UDP 172.31.53.1:54939->172.31.53.3:53 docker-pr 1311421 root 14u IPv4 8722133 0t0 UDP 172.31.53.1:57075->172.31.53.3:53 docker-pr 1311421 root 15u IPv4 8723011 0t0 UDP 172.31.53.1:35193->172.31.53.3:53 docker-pr 1311421 root 16u IPv4 8722145 0t0 UDP 172.31.53.1:40125->172.31.53.3:53 docker-pr 1311421 root 17u IPv4 8724538 0t0 UDP 172.31.53.1:59009->172.31.53.3:53 docker-pr 1311421 root 18u IPv4 8722159 0t0 UDP 172.31.53.1:51209->172.31.53.3:53 docker-pr 1311421 root 19u IPv4 8727960 0t0 UDP 172.31.53.1:57516->172.31.53.3:53 docker-pr 1311421 root 20u IPv4 8727961 0t0 UDP 172.31.53.1:51894->172.31.53.3:53 docker-pr 1311421 root 21u IPv4 8727017 0t0 UDP 172.31.53.1:49451->172.31.53.3:53 docker-pr 1311421 root 22u IPv4 8728088 0t0 UDP 172.31.53.1:48266->172.31.53.3:53 docker-pr 1311421 root 23u IPv4 8728089 0t0 UDP 172.31.53.1:47577->172.31.53.3:53 docker-pr 1311421 root 24u IPv4 8728112 0t0 UDP 172.31.53.1:40353->172.31.53.3:53 docker-pr 1311421 root 25u IPv4 8728113 0t0 UDP 172.31.53.1:32947->172.31.53.3:53 docker-pr 1311421 root 26u IPv4 8728607 0t0 UDP 172.31.53.1:42896->172.31.53.3:53 docker-pr 1311421 root 27u IPv4 8728114 0t0 UDP 172.31.53.1:40335->172.31.53.3:53 docker-pr 1311421 root 28u IPv4 8726388 0t0 UDP 172.31.53.1:58065->172.31.53.3:53 docker-pr 1311421 root 29u IPv4 8724551 0t0 UDP 172.31.53.1:40793->172.31.53.3:53 docker-pr 1311421 root 30u IPv4 8722163 0t0 UDP 172.31.53.1:35130->172.31.53.3:53 docker-pr 1311421 root 31u IPv4 8724630 0t0 UDP 172.31.53.1:37512->172.31.53.3:53 docker-pr 1311421 root 32u IPv4 8722224 0t0 UDP 172.31.53.1:45126->172.31.53.3:53 docker-pr 1311421 root 33u IPv4 8722225 0t0 UDP 172.31.53.1:52208->172.31.53.3:53 docker-pr 1311421 root 34u IPv4 8723177 0t0 UDP 172.31.53.1:44238->172.31.53.3:53 docker-pr 1311421 root 35u IPv4 8723178 0t0 UDP 172.31.53.1:33726->172.31.53.3:53 docker-pr 1311421 root 36u IPv4 8723179 0t0 UDP 172.31.53.1:34316->172.31.53.3:53 docker-pr 1311421 root 37u IPv4 8723180 0t0 UDP 172.31.53.1:36834->172.31.53.3:53 docker-pr 1311421 root 38u IPv4 8724635 0t0 UDP 172.31.53.1:48500->172.31.53.3:53 docker-pr 1311421 root 39u IPv4 8722261 0t0 UDP 172.31.53.1:58462->172.31.53.3:53 docker-pr 1311421 root 40u IPv4 8724637 0t0 UDP 172.31.53.1:57379->172.31.53.3:53 docker-pr 1311421 root 41u IPv4 8724638 0t0 UDP 172.31.53.1:37423->172.31.53.3:53 docker-pr 1311421 root 42u IPv4 8724639 0t0 UDP 172.31.53.1:35902->172.31.53.3:53 docker-pr 1311421 root 43u IPv4 8724290 0t0 UDP 172.31.53.1:38408->172.31.53.3:53 docker-pr 1311421 root 44u IPv4 8724292 0t0 UDP 172.31.53.1:46925->172.31.53.3:53 docker-pr 1311421 root 45u IPv4 8724663 0t0 UDP 172.31.53.1:58974->172.31.53.3:53 docker-pr 1311421 root 46u IPv4 8722343 0t0 UDP 172.31.53.1:60121->172.31.53.3:53 docker-pr 1311421 root 47u IPv4 8723274 0t0 UDP 172.31.53.1:38231->172.31.53.3:53 docker-pr 1311421 root 48u IPv4 8724664 0t0 UDP 172.31.53.1:50195->172.31.53.3:53 docker-pr 1311421 root 49u IPv4 8722347 0t0 UDP 172.31.53.1:53157->172.31.53.3:53 docker-pr 1311421 root 50u IPv4 8722348 0t0 UDP 172.31.53.1:54890->172.31.53.3:53 docker-pr 1311421 root 51u IPv4 8723311 0t0 UDP 172.31.53.1:39108->172.31.53.3:53 docker-pr 1311421 root 52u IPv4 8728325 0t0 UDP 172.31.53.1:38209->172.31.53.3:53 docker-pr 1311421 root 53u IPv4 8728795 0t0 UDP 172.31.53.1:46785->172.31.53.3:53 docker-pr 1311421 root 54u IPv4 8729671 0t0 UDP 172.31.53.1:39089->172.31.53.3:53 docker-pr 1311421 root 55u IPv4 8723322 0t0 UDP 172.31.53.1:52563->172.31.53.3:53 docker-pr 1311421 root 56u IPv4 8723337 0t0 UDP 172.31.53.1:42310->172.31.53.3:53 docker-pr 1311421 root 57u IPv4 8723348 0t0 UDP 172.31.53.1:47242->172.31.53.3:53 docker-pr 1311421 root 58u IPv4 8723351 0t0 UDP 172.31.53.1:52303->172.31.53.3:53 docker-pr 1311421 root 59u IPv4 8723352 0t0 UDP 172.31.53.1:51220->172.31.53.3:53 docker-pr 1311421 root 60u IPv4 8724703 0t0 UDP 172.31.53.1:56645->172.31.53.3:53 docker-pr 1311421 root 61u IPv4 8724704 0t0 UDP 172.31.53.1:53272->172.31.53.3:53 docker-pr 1311421 root 62u IPv4 8723444 0t0 UDP 172.31.53.1:60216->172.31.53.3:53 docker-pr 1311421 root 63u IPv4 8724367 0t0 UDP 172.31.53.1:49527->172.31.53.3:53 docker-pr 1311421 root 64u IPv4 8724369 0t0 UDP 172.31.53.1:58169->172.31.53.3:53 docker-pr 1311421 root 65u IPv4 8724371 0t0 UDP 172.31.53.1:36787->172.31.53.3:53 docker-pr 1311421 root 66u IPv4 8724373 0t0 UDP 172.31.53.1:36060->172.31.53.3:53 docker-pr 1311421 root 67u IPv4 8722401 0t0 UDP 172.31.53.1:55027->172.31.53.3:53 docker-pr 1311421 root 68u IPv4 8725547 0t0 UDP 172.31.53.1:34062->172.31.53.3:53 docker-pr 1311421 root 69u IPv4 8722403 0t0 UDP 172.31.53.1:51976->172.31.53.3:53 docker-pr 1311421 root 70u IPv4 8722404 0t0 UDP 172.31.53.1:58748->172.31.53.3:53 docker-pr 1311421 root 71u IPv4 8722405 0t0 UDP 172.31.53.1:50695->172.31.53.3:53 docker-pr 1311421 root 72u IPv4 8724380 0t0 UDP 172.31.53.1:33589->172.31.53.3:53 docker-pr 1311421 root 73u IPv4 8722408 0t0 UDP 172.31.53.1:55355->172.31.53.3:53 docker-pr 1311421 root 74u IPv4 8722410 0t0 UDP 172.31.53.1:55598->172.31.53.3:53 docker-pr 1311421 root 75u IPv4 8722411 0t0 UDP 172.31.53.1:50899->172.31.53.3:53 docker-pr 1311421 root 76u IPv4 8725552 0t0 UDP 172.31.53.1:33147->172.31.53.3:53 docker-pr 1311421 root 77u IPv4 8722412 0t0 UDP 172.31.53.1:41198->172.31.53.3:53 docker-pr 1311421 root 78u IPv4 8722413 0t0 UDP 172.31.53.1:45428->172.31.53.3:53 docker-pr 1311421 root 79u IPv4 8725553 0t0 UDP 172.31.53.1:48311->172.31.53.3:53 docker-pr 1311421 root 80u IPv4 8722415 0t0 UDP 172.31.53.1:48345->172.31.53.3:53 docker-pr 1311421 root 81u IPv4 8725554 0t0 UDP 172.31.53.1:55588->172.31.53.3:53 docker-pr 1311421 root 82u IPv4 8722417 0t0 UDP 172.31.53.1:32918->172.31.53.3:53 docker-pr 1311421 root 83u IPv4 8724801 0t0 UDP 172.31.53.1:42037->172.31.53.3:53 docker-pr 1311421 root 84u IPv4 8724802 0t0 UDP 172.31.53.1:55837->172.31.53.3:53 docker-pr 1311421 root 85u IPv4 8724426 0t0 UDP 172.31.53.1:47040->172.31.53.3:53 docker-pr 1311421 root 86u IPv4 8724805 0t0 UDP 172.31.53.1:40347->172.31.53.3:53 docker-pr 1311421 root 87u IPv4 8724806 0t0 UDP 172.31.53.1:56018->172.31.53.3:53 docker-pr 1311421 root 88u IPv4 8725558 0t0 UDP 172.31.53.1:44204->172.31.53.3:53 docker-pr 1311421 root 89u IPv4 8724807 0t0 UDP 172.31.53.1:51247->172.31.53.3:53 docker-pr 1311421 root 90u IPv4 8725561 0t0 UDP 172.31.53.1:35799->172.31.53.3:53 docker-pr 1311421 root 91u IPv4 8724433 0t0 UDP 172.31.53.1:47687->172.31.53.3:53 docker-pr 1311421 root 92u IPv4 8724435 0t0 UDP 172.31.53.1:50334->172.31.53.3:53 docker-pr 1311421 root 93u IPv4 8722427 0t0 UDP 172.31.53.1:43532->172.31.53.3:53 docker-pr 1311421 root 94u IPv4 8722428 0t0 UDP 172.31.53.1:57474->172.31.53.3:53 docker-pr 1311421 root 95u IPv4 8726545 0t0 UDP 172.31.53.1:45885->172.31.53.3:53 docker-pr 1311421 root 96u IPv4 8724815 0t0 UDP 172.31.53.1:36538->172.31.53.3:53 docker-pr 1311421 root 97u IPv4 8724816 0t0 UDP 172.31.53.1:38354->172.31.53.3:53 docker-pr 1311421 root 98u IPv4 8722432 0t0 UDP 172.31.53.1:52095->172.31.53.3:53 docker-pr 1311421 root 99u IPv4 8724819 0t0 UDP 172.31.53.1:44550->172.31.53.3:53 docker-pr 1311421 root 100u IPv4 8727555 0t0 UDP 172.31.53.1:55889->172.31.53.3:53 docker-pr 1311421 root 101u IPv4 8726552 0t0 UDP 172.31.53.1:36372->172.31.53.3:53 docker-pr 1311421 root 102u IPv4 8727557 0t0 UDP 172.31.53.1:47278->172.31.53.3:53 docker-pr 1311421 root 103u IPv4 8726554 0t0 UDP 172.31.53.1:47822->172.31.53.3:53 docker-pr 1311421 root 104u IPv4 8725570 0t0 UDP 172.31.53.1:44167->172.31.53.3:53 docker-pr 1311421 root 105u IPv4 8725571 0t0 UDP 172.31.53.1:57495->172.31.53.3:53 docker-pr 1311421 root 106u IPv4 8725574 0t0 UDP 172.31.53.1:41982->172.31.53.3:53 docker-pr 1311421 root 107u IPv4 8724828 0t0 UDP 172.31.53.1:49841->172.31.53.3:53 docker-pr 1311421 root 108u IPv4 8724829 0t0 UDP 172.31.53.1:34899->172.31.53.3:53 docker-pr 1311421 root 109u IPv4 8727562 0t0 UDP 172.31.53.1:56689->172.31.53.3:53 docker-pr 1311421 root 110u IPv4 8727563 0t0 UDP 172.31.53.1:43987->172.31.53.3:53 docker-pr 1311421 root 111u IPv4 8724832 0t0 UDP 172.31.53.1:46477->172.31.53.3:53 docker-pr 1311421 root 112u IPv4 8725581 0t0 UDP 172.31.53.1:57744->172.31.53.3:53 docker-pr 1311421 root 113u IPv4 8724836 0t0 UDP 172.31.53.1:44875->172.31.53.3:53 docker-pr 1311421 root 114u IPv4 8725582 0t0 UDP 172.31.53.1:43981->172.31.53.3:53 docker-pr 1311421 root 115u IPv4 8726565 0t0 UDP 172.31.53.1:40790->172.31.53.3:53 docker-pr 1311421 root 116u IPv4 8727591 0t0 UDP 172.31.53.1:51440->172.31.53.3:53 docker-pr 1311421 root 117u IPv4 8726601 0t0 UDP 172.31.53.1:38650->172.31.53.3:53 docker-pr 1311421 root 118u IPv4 8725605 0t0 UDP 172.31.53.1:38826->172.31.53.3:53 docker-pr 1311421 root 119u IPv4 8725607 0t0 UDP 172.31.53.1:57163->172.31.53.3:53 docker-pr 1311421 root 120u IPv4 8726602 0t0 UDP 172.31.53.1:42047->172.31.53.3:53 docker-pr 1311421 root 121u IPv4 8727597 0t0 UDP 172.31.53.1:35690->172.31.53.3:53 docker-pr 1311421 root 122u IPv4 8726604 0t0 UDP 172.31.53.1:43426->172.31.53.3:53 docker-pr 1311421 root 123u IPv4 8727630 0t0 UDP 172.31.53.1:48551->172.31.53.3:53 docker-pr 1311421 root 124u IPv4 8727677 0t0 UDP 172.31.53.1:38166->172.31.53.3:53 docker-pr 1311421 root 125u IPv4 8727680 0t0 UDP 172.31.53.1:60200->172.31.53.3:53 docker-pr 1311421 root 126u IPv4 8727702 0t0 UDP 172.31.53.1:60269->172.31.53.3:53 docker-pr 1311421 root 127u IPv4 8727703 0t0 UDP 172.31.53.1:53664->172.31.53.3:53 docker-pr 1311421 root 128u IPv4 8725779 0t0 UDP 172.31.53.1:58498->172.31.53.3:53 docker-pr 1311421 root 129u IPv4 8725821 0t0 UDP 172.31.53.1:49952->172.31.53.3:53 docker-pr 1311421 root 130u IPv4 8725822 0t0 UDP 172.31.53.1:48560->172.31.53.3:53 docker-pr 1311421 root 131u IPv4 8729674 0t0 UDP 172.31.53.1:46614->172.31.53.3:53 docker-pr 1311421 root 132u IPv4 8728390 0t0 UDP 172.31.53.1:38433->172.31.53.3:53 docker-pr 1311445 root 4u IPv6 7351662 0t0 UDP *:53 docker-pr 1312809 root 4u IPv4 7359643 0t0 UDP 127.0.0.1:5300 ping 1537770 root 5u IPv4 8728389 0t0 UDP 127.0.0.1:33814->127.0.0.1:53

docker ps:
https://pastebin.com/YauCyEFV

[pschiffe]

So you are already using pschiffe/pdns-recursor:latest for the host DNS resolver, that's good! Can you show me it's configuration (env vars)?

I think you need to add there something like PDNS_forward_zones=spidershomelab.net=172.31.53.6, so it knows where to look.

[SpiderUnderUrBed]

spidershomelab.net = 172.31.53.6
+.= 9.9.9.9,100.100.100.100

I already had this in my zonefiles (it will forward the coorosponding zone to the correct location)

    image: pschiffe/pdns-recursor:latest
    profiles: ["all"]
    container_name: pdns-recursor
    networks:
      pdns-network:
     #   ipv4_address: 172.31.53.5
  #  networks:
#      - pdns-network
    environment:
      # FORWARD ZONE
      - PDNS_forward-zones-file=/zonefiles.conf
     - PDNS_local_address=0.0.0.0
      - PDNS_local_port=53
      - PDNS_allow_from=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
      - PDNS_dnssec=off
      - PDNS_aggressive_nsec_cache_size=0
      # LOGGING
      - PDNS_logging_facility=0
      - PDNS_quiet=no
      - PDNS_loglevel=7
      - PDNS_trace=yes
      - PDNS_log_common-errors=yes
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /home/spiderunderurbed/zonesfiles.conf:/zonefiles.conf
    ports:
      - 53:53
      - 53:53/udp
    restart: unless-stopped

[pschiffe]

So when you try to ask the recursor directly, it doesn't work? Is the recursor showing any logs?

[SpiderUnderUrBed]

I tried asking the recursor on port 53:
https://pastebin.com/U5i18sF3
This is the process of it forwarding the request to the backend

I also tried removing zone forwarding to my domain which resulted in many errors.
PDNS_API_URL is a value for lego to know where to talk too for the cert process
I tried:
PDNS_API_URL=http://172.31.53.6:8081
and
PDNS_API_URL=http://localhost:8081

I get the same error either way.
[spidershomelab.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: No TXT records found for DNS challenge

[pschiffe]

I'm sorry, not sure what could be the problem. The config seems mostly OK. The PDNS is sensitive to how the records are configured in the DNS itself, it must match with container or host IP, depending on from where you are asking (doesn't really like NAT) :(
I'll let you know if I think about something, but I don't have much more for you now.

[SpiderUnderUrBed]

Ah ok, I'll keep this issue open, maybe until I find a resolution or you have a idea, or i give up on this route, (though that is unlikely)

I'll be sure to post the resolution here,
PowerDNS/pdns#14233
^ here is the discussion I opened at powerdns

EDIT:
Also I have a theory i would like to explore, maybe the DNS-01 challange needs both access to the authoritative and recursive server to complete it, it would explain my issue, the makers of the DNS-01 challange must have not accounted for dns servers like pdns. I think.