[dnsdist] sample config and how dnsdist works on backend dns configured with "stealth-DMZ".

wbdumangeng at dilg.gov.ph wbdumangeng at dilg.gov.ph
Tue Feb 18 09:05:22 UTC 2020


Hi;

I have two questions.


1. If dnsdist is similar to (http reverse) proxy, and If dnsdist is accessible on public internet.
 Is this sample config correct for an authoritative dns?
   
setLocal("any") -------------> client from public internet
newServer("192.168.0.10") ---> back-end 1
newServer("192.168.0.11") ---> back-end 2


2. Can dnsdist work on "stealth-dmz" BIND dns, where "named.conf" has access rules with multiple configured zone for recursion
and no recursion.


----- Original Message -----
From: dnsdist-request at mailman.powerdns.com
To: "dnsdist" <dnsdist at mailman.powerdns.com>
Sent: Thursday, January 23, 2020 8:00:02 PM
Subject: dnsdist Digest, Vol 53, Issue 6

Send dnsdist mailing list submissions to
	dnsdist at mailman.powerdns.com

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.powerdns.com/mailman/listinfo/dnsdist
or, via email, send a message with subject or body 'help' to
	dnsdist-request at mailman.powerdns.com

You can reach the person managing the list at
	dnsdist-owner at mailman.powerdns.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dnsdist digest..."


Today's Topics:

   1. DNS use cases as authoritative dns server facing public
      internet (wbdumangeng at dilg.gov.ph)
   2. Re: DNS use cases as authoritative dns server facing public
      internet (Jacob Bunk Nielsen)
   3. Re: DNS use cases as authoritative dns server facing public
      internet (Andreas Danzer)


----------------------------------------------------------------------

Message: 1
Date: Thu, 23 Jan 2020 11:16:14 +0800 (PST)
From: wbdumangeng at dilg.gov.ph
To: dnsdist at mailman.powerdns.com
Subject: [dnsdist] DNS use cases as authoritative dns server facing
	public internet
Message-ID:
	<1959375686.1290571.1579749374420.JavaMail.zimbra at dilg.gov.ph>
Content-Type: text/plain; charset="utf-8"

Hi; 

I have a question regarding the posture of dnsdist as authoritative dns server facing public internet. 
How will be the design if you would put the dnsdist (load balancer) infront the origin DNS servers? 
I have two (2) internet facing authoritative DNS translated from my firewall. Can I also do NAT on dnsdist 
while the origin dns servers will be on private IP address? 

Thank you. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/06eed7ee/attachment-0001.htm>

------------------------------

Message: 2
Date: Thu, 23 Jan 2020 09:18:36 +0100
From: Jacob Bunk Nielsen <jbn at one.com>
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] DNS use cases as authoritative dns server
	facing public internet
Message-ID: <0ba5eded-6f47-0ab8-e9a6-ea150f6874a4 at one.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Hi

On 23/01/2020 04.16, wbdumangeng at dilg.gov.ph wrote:
> I have a question regarding the posture of dnsdist as authoritative 
> dns server facing public internet.
> How will be the design if you would put the dnsdist (load balancer) 
> infront the origin DNS servers?
> I have two (2) internet facing authoritative DNS translated from my 
> firewall. Can I also do NAT on dnsdist
> while the origin dns servers will be on private IP address?

Short answer, yes.

Slightly longer answer, think of dnsdist more as a caching proxy/load 
balancer than as a router. So you'd set up dnsdist to listen for 
incoming queries and let dnsdist distribute the queries among backend 
servers depending on your preferred load balancing scheme. See also 
https://dnsdist.org/guides/serverselection.html

For redundancy you'll probably also want at least 2 dnsdist instances 
that can then sit in front of however many backends is required to 
handle the load.

Best regards,

Jacob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/c9b1506b/attachment-0001.htm>

------------------------------

Message: 3
Date: Thu, 23 Jan 2020 11:07:24 +0100
From: Andreas Danzer <andreas at danzer.org>
To: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] DNS use cases as authoritative dns server
	facing public internet
Message-ID: <e53b293e-1e91-dba6-5637-86ac59fe6258 at danzer.org>
Content-Type: text/plain; charset=utf-8

Hi,

> I have a question regarding the posture of dnsdist as authoritative dns
> server facing public internet.
> How will be the design if you would put the dnsdist (load balancer)
> infront the origin DNS servers?
> I have two (2) internet facing authoritative DNS translated from my
> firewall. Can I also do NAT on dnsdist
> while the origin dns servers will be on private IP address?

our authoriative nameservers are built with dnsdist as loadbalancer in
front of several powerdns-servers. Some of those backend servers are
running on private RFC1918 IP addresses, with only dnsdist having a
global routeable IP. Dnsdist also serves as some sort of dns firewall
with rate-limiting and special handling of some request types (e.g.
ANY). We also use it to handle incoming/outgoing AXFR/IXFR requests and
notifications for customers based on an extra database and a hidden dns.
Think of dnsdist as the swiss army knife for DNS. ;-)

Regards,
A. Danzer


------------------------------

Subject: Digest Footer

_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist


------------------------------

End of dnsdist Digest, Vol 53, Issue 6
**************************************


More information about the dnsdist mailing list