<html><head></head><body style="zoom: 0%;"><div dir="auto">Than you I'll have a look at your dnsdist suggestion, I hadn't considered that yet.<br><br></div>
<div dir="auto">I'd rather not get into an off topic argument about the various reasons for using an FQDN in a firewall rule versus undisclosed public IP addresses. And I have no intention of requesting that cache management is made more complex.</div>
<div class="gmail_quote" >On 17 Sept 2022, at 18:42, Otto Moerbeek <<a href="mailto:otto@drijf.net" target="_blank">otto@drijf.net</a>> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="blue"><br>Cache maintenace is alreayd quite a complex part of any recursor. IMO<br>adding cache syncing would introduce way too much complexity te be<br>worth the trouble to solve what in essense is a questionable firewall<br>rule design. <br><br>Maybe dnsdist with a packet cache in front of two recursors might<br>be worth considering.<br><br> -Otto<br><br>On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote:<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Hi Otto,<br> <br> Thank you for the clarification. Yes, I'm aware that the source may change, but TTL exists for that. So I don't think this is a valid reason to not sync cache. As the current situation is worse:<br> <br> Resolver A caches IP address <a href="http://1.1.1.1">1.1.1.1</a> and resolver B caches IP address <a href="http://2.2.2.2">2.2.2.2</a>. Subsequently a user types to navigate to the site, but the firewall happened to resolve the domain via the other resolver. This ends up causing intermittent issues as it ends up being pot luck whether a user happens to use the same resolver that the firewall used.<br> <br> A cache sync would at least cause the same behaviour for all users. And using a single resolver is too risky.<br> <br> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek <otto@drijf.net> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Hello,<br><br>cachs syncing is not something we have and even with it (or using a<br>single resolver) there is an issue that records can change:<br>the scenario:<br><br> - a client asks the record, record gets cached<br> - client A asks and gets cached value,<br> - publisher of records changes the record<br> - record expires from cache<br> - client B (firewall) asks and record resolves to different value.<br><br><br>On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users<br>wrote:<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> Just ran into an issue with recursive DNS servers where the two<br></blockquote>servers have cached a different A record for <a href="http://mirror.centos.org">mirror.centos.org</a>.<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"><br> This is a problem as the firewalls permit access to the FQDN, which<br></blockquote>presumes that both the client and the firewall end up with the same A<br>record for the domain.<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"><br> I'm intending to swap these recursors out with PowerDNS servers, but<br></blockquote>am wondering if there's a way to keep the record cache in sync between<br>multiple recursors.<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"><br> --<br> Best regards,<br> Djerk Geurts<br> m: +44-7535-674620<br><br> Maizymoo Ltd<br> VAT No: GB192 1529 07<br> Registration Number: 6638104 (registered in England and Wales)<br></blockquote><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"><hr><br> Pdns-users mailing list<br> Pdns-users@mailman.powerdns.com<br> <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br></blockquote></blockquote></blockquote></pre></blockquote></div></body></html>