[dnsdist] DNSDIST / Authoritative / Recursive / Lua Script Option?

Devin Acosta linuxguru.co at gmail.com
Wed Feb 6 14:46:35 UTC 2019


Dear PowerDNS Users,

So I have a situation where I have all my servers going through DNSDist for
DNS queries. I have my configuration setup so that it routes certain
domains to various internal Authoritative DNS servers, and also a route to
allow recursion. What I am seeing is that when a request comes in for a
record (ie: one of my internal domains) and then gets routed to my
Authoritative server that then is a CNAME to say an Amazon ELB address, it
isn’t able to then recurse the ELB address to get the IP addresses. I am
hoping that there is some Lua code that maybe I can put in the DNSDist to
allow the query to first go to the Authoritative server, then take that
answer and send to recursion server to get the final answer and then send
that back to the client.

Seems like the one suggestion on the website is to point to the recursion
server and have it then point your domains to the Authoritative server for
the Internal answer, seems a bit strange to have to do it that way.

But I would assume with the Power of Lua, that I could write something to
let me query Authoritative get that answer, then send to the Recursor for
the recursion answer and then send that back?

My config is something like this currently:

newServer({address="10.0.1.31:53", pool="auth_internal"})

newServer({address="10.0.1.32:53", pool="auth_internal"})

newServer({address="10.0.1.33:53", pool="resolver_internal"})

newServer({address="10.0.1.34:53", pool="resolver_internal"})

newServer({address="10.0.1.253:53", pool="auth_internal_external"})

pc = newPacketCache(100000)

getPool("resolver_internal"):setCache(pc)

match_clients_internal = newNMG()

match_clients_internal:addMask("0.0.0.0/0")

match_clients_internal:addMask("::1/0")

match_destinations_internal = newNMG()

match_destinations_internal:addMask("0.0.0.0/0")

match_destinations_internal:addMask("::0/0")

allow_query_internal = newNMG()

allow_query_internal:addMask("0.0.0.0/0")

allow_query_internal:addMask("::0/0")

allow_recursion_internal = newNMG()

allow_recursion_internal:addMask("0.0.0.0/0")

authdomains_internal = newSuffixMatchNode()

allow_transfer_internal = {}

authdomains_internal:add(newDNSName("linuxstack.cloud."))

authdomains_internal:add(newDNSName("in-addr.arpa."))

authdomains_internal_external = newSuffixMatchNode()

authdomains_internal_external:add(newDNSName("routed-bind-domain.com."))

addAction((), LogAction("/var/log/dnsdist.log", false, true, false))

function xfr_query_internal(dq)

        if(dq.qtype == dnsdist.AXFR or dq.qtype == dnsdist.IXFR)

        then

                a =
allow_transfer_internal[string.lower(dq.qname:toString())]

                if(match_clients_internal:match(dq.remoteaddr) and
a:match(dq.remoteaddr))

                then

                return DNSAction.Pool, "auth_internal"

end

        end

        return DNSAction.None, ""

end

addAction(AndRule({NetmaskGroupRule(match_clients_internal),
NotRule(NetmaskGroupRule(allow_query_internal))}), RCodeAction(5))

addAction(AndRule({NetmaskGroupRule(match_clients_internal),
NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)),
SuffixMatchNodeRule(authdomains_internal)}), PoolAction("auth_internal"))

addAction(AndRule({NetmaskGroupRule(match_clients_internal),
NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)),
SuffixMatchNodeRule(authdomains_internal_external)}),
PoolAction("auth_internal_external"))

addAction(AndRule({NetmaskGroupRule(match_clients_internal),
NotRule(QTypeRule(dnsdist.AXFR)), NotRule(QTypeRule(dnsdist.IXFR)),
NetmaskGroupRule(allow_recursion_internal)}),
PoolAction("resolver_internal"))

addLuaAction(".", xfr_query_internal)

addAction(NetmaskGroupRule(match_clients_internal), RCodeAction(5))

function xfr_query_external(dq)

        if(dq.qtype == dnsdist.AXFR or dq.qtype == dnsdist.IXFR)

        then

                a =
allow_transfer_external[string.lower(dq.qname:toString())]

                if(match_clients_external:match(dq.remoteaddr) and
a:match(dq.remoteaddr))

                then

                return DNSAction.Pool, "auth_external"

end

        end

        return DNSAction.None, ""

end

setACL({})

addACL("10.0.0.0/8")

addACL("::0/0")

controlSocket("127.0.0.1")

addLocal("0.0.0.0:53")

addLocal("[::]:53”)


Devin Acosta

Red Hat Certified Architect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190206/28627863/attachment.html>


More information about the dnsdist mailing list