[dnsdist] sample config and how dnsdist works on backend dns configured with "stealth-DMZ".

Rasto Rickardt phobie at axfr.org
Tue Feb 18 11:03:55 UTC 2020 

Hello,

> 
> 1. If dnsdist is similar to (http reverse) proxy, and If dnsdist is
> accessible on public internet. Is this sample config correct for an
> authoritative dns?
> 
> setLocal("any") -------------> client from public internet 
> newServer("192.168.0.10") ---> back-end 1 newServer("192.168.0.11")
> ---> back-end 2

this is ok, you might need to set ACL as well.

setACL({'0.0.0.0/0', '::/0'}) will allow all clients.


> 
> 2. Can dnsdist work on "stealth-dmz" BIND dns, where "named.conf" has
> access rules with multiple configured zone for recursion and no
> recursion.

Source IP based access rules will not work on your backend servers as 
requests are originated from dnsdist.

If you are thinking about BIND views style configuration i used multiple 
instances of DNS servers on different ports serving different zone files.

On dnsdist, i used pools and addAction/PoolAction to direct traffic 
based on source address of client to the respective pool.

Kind Regards

r.
> 
> ----- Original Message ----- From:
> dnsdist-request at mailman.powerdns.com To: "dnsdist"
> <dnsdist at mailman.powerdns.com> Sent: Thursday, January 23, 2020
> 8:00:02 PM Subject: dnsdist Digest, Vol 53, Issue 6
> 
> Send dnsdist mailing list submissions to 
> dnsdist at mailman.powerdns.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit 
> https://mailman.powerdns.com/mailman/listinfo/dnsdist or, via email,
> send a message with subject or body 'help' to 
> dnsdist-request at mailman.powerdns.com
> 
> You can reach the person managing the list at 
> dnsdist-owner at mailman.powerdns.com
> 
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of dnsdist digest..."
> 
> 
> Today's Topics:
> 
> 1. DNS use cases as authoritative dns server facing public internet
> (wbdumangeng at dilg.gov.ph) 2. Re: DNS use cases as authoritative dns
> server facing public internet (Jacob Bunk Nielsen) 3. Re: DNS use
> cases as authoritative dns server facing public internet (Andreas
> Danzer)
> 
> 
> ----------------------------------------------------------------------
>
>  Message: 1 Date: Thu, 23 Jan 2020 11:16:14 +0800 (PST) From:
> wbdumangeng at dilg.gov.ph To: dnsdist at mailman.powerdns.com Subject:
> [dnsdist] DNS use cases as authoritative dns server facing public
> internet Message-ID: 
> <1959375686.1290571.1579749374420.JavaMail.zimbra at dilg.gov.ph> 
> Content-Type: text/plain; charset="utf-8"
> 
> Hi;
> 
> I have a question regarding the posture of dnsdist as authoritative
> dns server facing public internet. How will be the design if you
> would put the dnsdist (load balancer) infront the origin DNS
> servers? I have two (2) internet facing authoritative DNS translated
> from my firewall. Can I also do NAT on dnsdist while the origin dns
> servers will be on private IP address?
> 
> Thank you. -------------- next part -------------- An HTML attachment
> was scrubbed... URL:
> <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/06eed7ee/attachment-0001.htm>
>
>  ------------------------------
> 
> Message: 2 Date: Thu, 23 Jan 2020 09:18:36 +0100 From: Jacob Bunk
> Nielsen <jbn at one.com> To: dnsdist at mailman.powerdns.com Subject: Re:
> [dnsdist] DNS use cases as authoritative dns server facing public
> internet Message-ID: <0ba5eded-6f47-0ab8-e9a6-ea150f6874a4 at one.com> 
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> Hi
> 
> On 23/01/2020 04.16, wbdumangeng at dilg.gov.ph wrote:
>> I have a question regarding the posture of dnsdist as
>> authoritative dns server facing public internet. How will be the
>> design if you would put the dnsdist (load balancer) infront the
>> origin DNS servers? I have two (2) internet facing authoritative
>> DNS translated from my firewall. Can I also do NAT on dnsdist while
>> the origin dns servers will be on private IP address?
> 
> Short answer, yes.
> 
> Slightly longer answer, think of dnsdist more as a caching
> proxy/load balancer than as a router. So you'd set up dnsdist to
> listen for incoming queries and let dnsdist distribute the queries
> among backend servers depending on your preferred load balancing
> scheme. See also https://dnsdist.org/guides/serverselection.html
> 
> For redundancy you'll probably also want at least 2 dnsdist
> instances that can then sit in front of however many backends is
> required to handle the load.
> 
> Best regards,
> 
> Jacob
> 
> -------------- next part -------------- An HTML attachment was
> scrubbed... URL:
> <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/c9b1506b/attachment-0001.htm>
>
>  ------------------------------
> 
> Message: 3 Date: Thu, 23 Jan 2020 11:07:24 +0100 From: Andreas Danzer
> <andreas at danzer.org> To: dnsdist at mailman.powerdns.com Subject: Re:
> [dnsdist] DNS use cases as authoritative dns server facing public
> internet Message-ID:
> <e53b293e-1e91-dba6-5637-86ac59fe6258 at danzer.org> Content-Type:
> text/plain; charset=utf-8
> 
> Hi,
> 
>> I have a question regarding the posture of dnsdist as authoritative
>> dns server facing public internet. How will be the design if you
>> would put the dnsdist (load balancer) infront the origin DNS
>> servers? I have two (2) internet facing authoritative DNS
>> translated from my firewall. Can I also do NAT on dnsdist while the
>> origin dns servers will be on private IP address?
> 
> our authoriative nameservers are built with dnsdist as loadbalancer
> in front of several powerdns-servers. Some of those backend servers
> are running on private RFC1918 IP addresses, with only dnsdist having
> a global routeable IP. Dnsdist also serves as some sort of dns
> firewall with rate-limiting and special handling of some request
> types (e.g. ANY). We also use it to handle incoming/outgoing
> AXFR/IXFR requests and notifications for customers based on an extra
> database and a hidden dns. Think of dnsdist as the swiss army knife
> for DNS. ;-)
> 
> Regards, A. Danzer
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________ dnsdist mailing list 
> dnsdist at mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
> 
> ------------------------------
> 
> End of dnsdist Digest, Vol 53, Issue 6 
> ************************************** 
> _______________________________________________ dnsdist mailing list 
> dnsdist at mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
(null)

More information about the dnsdist mailing list