[dnsdist] dnsdist in front of pdns / pdns-recursor

Bit World Computing - Michael Mertel michael.mertel at bwc.de
Wed Jun 8 16:13:34 UTC 2016 

<sorry for the length of this post>


Hi,

I’am currently setting up a new pdns (auth for a couple hundred zones). In the past this auth-server served all recursion queries as well by forwarding them to a pdns-recursor (limited by allow-recursion). 

Now I plan to put a dnsdist in front of this stack, to have a granular control what is going on, logging etc. I need to stick with the single IP for auth and recursor for a while, but splitting auth and recursor is on the list.

The first challange was to handle recursion, because allow-recursion= in pdns.conf does not work anymore to control the recursion requests, because all requests to pdns are initiated by the ip of dnsdist. I handled the situation with this snippet:

------------------------
-- define netmasks which can do recursive queries
allowRecursionNMG = newNMG()
allowRecursionNMG:addMask('10.1.0.0/16')
allowRecursionNMG:addMask('10.5.0.0/16’)

— remove RD flag if not allowed
addNoRecurseRule(NotRule(NetmaskGroupRule(allowRecursionNMG)))
------------------------

The second challenge was AXFR requests from non pdns slaves. These I handled with NAT redirecting traffic from the slaves directly to the pdns:

-A PREROUTING -s ip.of.bind.slave -p udp --dport 53 -j REDIRECT --to-port 10053
-A PREROUTING -s ip.of.bind.slave -p tcp --dport 53 -j REDIRECT --to-port 10053


All dns requests taking this path: dnsdist - pdns - pdns-recursor. All tested queries returning the expected results, even DNSSEC does not seem to be problematic.

BUT, https://doc.powerdns.com/md/authoritative/recursion/ mentions that using recursor= is NOT RECOMMENDED cause of side effects. I read Dan Bernsteins article a few times and think that this does not really affects me, because the recursor is BEHIND the auth.

Can anyone think of a reason why I should better not put this in production? Is dnsdist in front of pdns a valid deployment?

Any help highly appreciated, I hope you don’t mind that I pick the brains of this list.

—Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2297 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160608/fbef808e/attachment.bin>

More information about the dnsdist mailing list