<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div> </div>
<div>
<div style="margin-left: 40px;">Note that even with this setup, your clients will need to point to one IP address (the pdns-recursor server), and your NS records will need to point to a different IP address (the pdns-auth server with the externally visible zones). So you will need to renumber one or the other.</div>
<div> </div>
<div>That would be fine for me. I also don't need both instances to have the same IP-Adress.</div>
<div> </div>
<div>About the "3. Set up forwarding rules on pdns-recursor for your internal zones, pointing at your internal pdns-auth":<br/>
<br/>
When I have stuff like:<br/>
<br/>
foo.example.com IN A 127.0.0.1 (internal only)<br/>
bar.example.com IN A 99.99.99.99 (internal and external)<br/>
<br/>
Then that's the same zone. And I have hundrets of those DNS-Records that need to be accessible in both "views", as well as hundrets that are internal-only.<br/>
I agree, it would have been better to use completely different zones for internal and external stuff in the beginning, but sadly I have to deal with the current setup.</div>
<div> </div>
<div>Would I now have to make forwarding-rules for every of those records in pwns-recursor?<br/>
Like: When foo.example.com is requested, then ask internal-pwdns-auth, when bar.example.com is requested, then ask external-pdns-auth.<br/>
<br/>
Because then I would need to duplicate all internal DNS-Records in the recursor as well as define them in the internal-pdns-auth. So I end up with two places to configure again, which brings the same downsides.</div>
<div> </div>
<div> </div>
<div style="margin-left: 40px;">3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients</div>
<div> </div>
<div>Thanks a lot for that hint, I will look into that.<br/>
I guess you are talking about this bit here? https://doc.powerdns.com/recursor/lua-config/index.html<br/>
So I would need to write some lua-code that gets executed before the response is being returned, and in case the response is a NXDOMAIN, I make a new lookup towards the external-pdns-auth server and return whatever that one returns?</div>
<div> </div>
<div>Cheers<br/>
Sebastian</div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b> Mittwoch, 15. November 2023 um 17:53 Uhr<br/>
<b>Von:</b> "Kevin P. Fleming via Pdns-users" <pdns-users@mailman.powerdns.com><br/>
<b>An:</b> "Pdns-users" <pdns-users@mailman.powerdns.com><br/>
<b>Cc:</b> "Kevin P. Fleming" <lists.pdns-users@kevin.km6g.us><br/>
<b>Betreff:</b> Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)</div>
<div name="quoted-content"><!--p.MsoNormal, p.MsoNoSpacing {
margin: 0;
}
-->
<div>On Wed, Nov 15, 2023, at 11:05, Brian Candler via Pdns-users wrote:</div>
<blockquote id="qt">
<div class="qt-moz-cite-prefix">On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote:</div>
<blockquote>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>
<div>Hey,</div>
<div> </div>
<div>I am considering migrating my current BIND-Based setup to PowerDNS.</div>
<div> </div>
<div>For multiple zones, I currently have split-view in bind, so that I can define DNS-Records available only for internal clients.</div>
<div> </div>
<div>To achieve this, I have the following zonefiles:</div>
<div> </div>
<div>mydomain.com.ext.zone <- This zonefile is used for the external view</div>
</div>
<div>mydomain.com.int.zone <- This zonesfile is used for the internal view</div>
<div> </div>
<div>But I also have:</div>
<div>mydomain.com.include <- This file is included in both zonefiles, so records defined there are available in both zones.</div>
<div> </div>
<div> </div>
<div>I was wondering, how I could replicate a setup like this in PowerDNS.</div>
</div>
</blockquote>
<p>BIND combines the roles of authoritative server and recursor; PowerDNS has separate programs (pdns and pdns-recursor)</p>
<p>Split views are IMO a bad idea anyway, but if you wanted to do it you would need to do something like this:</p>
<p> </p>
<div>1. Run pdns-recursor for your internal clients to use</div>
<div>2. Run an instance of pdns-auth with your internal zones</div>
<p> </p>
</blockquote>
<div> </div>
<div>There is another option to consider:<br/>
<br/>
1. Run pdns-recursor for your internal clients to use</div>
<div>2. Run pdns-auth for the external view of the zones</div>
<div>3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients</div>
<div><br/>
Those overrides can add new records, hide existing records, or replace records with alternative answers.</div>
<div> </div>
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com <a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a></div>
</div>
</div>
</div></div></body></html>