<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 15/11/2023 14:53, sebastian-n-95---
via Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:trinity-c47de14d-10ca-4076-92c9-83c641cb3058-1700060010213@3c-app-gmx-bap11">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="font-family: Verdana;font-size: 12.0px;">
<div>Hey,<br>
<br>
I am considering migrating my current BIND-Based setup to
PowerDNS.<br>
<br>
For multiple zones, I currently have split-view in bind, so
that I can define DNS-Records available only for internal
clients.<br>
<br>
To achieve this, I have the following zonefiles:<br>
<br>
mydomain.com.ext.zone <- This zonefile is used for the
external view</div>
<div>mydomain.com.int.zone <- This zonesfile is used for the
internal view</div>
<div> </div>
<div>But I also have:</div>
<div>mydomain.com.include <- This file is included in both
zonefiles, so records defined there are available in both
zones.</div>
<div> </div>
<div> </div>
<div>I was wondering, how I could replicate a setup like this in
PowerDNS.<br>
</div>
</div>
</blockquote>
<p>BIND combines the roles of authoritative server and recursor;
PowerDNS has separate programs (pdns and pdns-recursor)</p>
<p>Split views are IMO a bad idea anyway, but if you wanted to do it
you would need to do something like this:<br>
</p>
<p>1. Run pdns-recursor for your internal clients to use<br>
2. Run an instance of pdns-auth with your internal zones<br>
3. Set up forwarding rules on pdns-recursor for your internal
zones, pointing at your internal pdns-auth<br>
4. Run a separate instance of pdns-auth with your external zones
(i.e. the ones which your NS records point at)</p>
<p>Note that even with this setup, your clients will need to point
to one IP address (the pdns-recursor server), and your NS records
will need to point to a different IP address (the pdns-auth server
with the externally visible zones). So you will need to renumber
one or the other.<br>
</p>
<p>If you really, really, really want to have a single IP address
that performs both functions, then you will indeed need to put
dnsdist on that address. But I would strongly advise against it;
it's too many moving parts. Either just renumber your recursor IP
(maybe you can give the new address to all your clients using
DHCP), or renumber your external auth nameserver (which just means
changing the A record for your nameserver, and possibly glue
records).<br>
</p>
<p>PowerDNS is designed for use in large-scale ISP operations, where
it is best practice to separate recursor and authoritative
services and run them on different IP addresses.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:trinity-c47de14d-10ca-4076-92c9-83c641cb3058-1700060010213@3c-app-gmx-bap11">
<div style="font-family: Verdana;font-size: 12.0px;">
<div>But for DNS-Records that I want to have for internal AND
external clients, I would need to create them in both
PowerDNS-instances.</div>
<div>To me, the risk seems too high, that by accident,
DNS-Records are only created/updated on one PowerDNS-Instance,
but not on the other.</div>
</div>
</blockquote>
<p>That is one of the (several) risks associated with split DNS,
yes.<br>
</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</body>
</html>