[dnsdist] dnsdist Action dependant on source IP and queried domain
Jochen Demmer
jdemmer at relaix.net
Thu Feb 27 09:15:41 UTC 2020
Thank you Chris and Jacob,
this makes it very much clear so far where to go, just one more question.
What if I want to have only ONE cluster of powerdns auth servers who
answer both private and public domains? How can dnsdist distinguish
between those, can it?
Our concept only contains one cluster so we have only one endpoint for
things like NSUPDATE or for the pdns API.
Best wishes
Jochen Demmer
Am 27.02.20 um 09:34 schrieb Jacob Bunk Nielsen via dnsdist:
> On 27/02/2020 09.13, Jochen Demmer via dnsdist wrote:
>> you're saying I can use one dnsdist instance bound to different IPs for
>> all DNS traffic no matter if it's recursive or authoritative and even at
>> the same time for my protected authoritative domains?
>
> Yes, you can do stuff like:
>
> addLocal('1.1.1.1',{})
>
> addLocal('2.2.2.2',{})
>
> addLocal('3.3.3.3',{})
>
> external_auth_dns_ips = newNMG()
> external_auth_dns_ips:addMask('1.1.1.1/32')
>
> external_recursive_dns_ips = newNMG()
> external_recursive_dns_ips:addMask('2.2.2.2/32')
>
> internal_dns_ips = newNMG()
> internal_dns_ips:addMask('3.3.3.3/32')
>
> internal_network = newNMG()
>
> internal_network:addMask('10.0.0.0/8')
>
> internal_network:addMask('192.168.0.0/16')
>
> addAction(NetmaskGroupRule(external_auth_dns_ips, false),
> PoolAction('auth_pool'))
>
> addAction(NetmaskGroupRule(external_recursive_dns_ips, false),
> PoolAction('recursive_pool'))
>
> addAction(AndRule({NetmaskGroupRule(internal_dns_ips, false),
> NetmaskGroupRule(internal_network)}), PoolAction('internal_auth_pool'))
>
> Then you of course want to create relevant backends using newServer()
> and probably add a bit of caching as well.
>
> But as always, there's more than one way to do it :-)
>
>> Since there are several thousand domains we host for our customers and a
>> few protected ones I would have to keep dnsdinst informed about all of
>> those, right? This is not something I would like to do manually of
>> course. Without the dnsdist knowing how could it decide where to
>> redirect the query or even to deny the request in the first place?
>>
>> Can someone please give a short example of how such an Action could look
>> like?
>> I've tried something like this but this is obviously not enough.
>>
>> addAction(RegexRule(".internal\\.domain\\.net$"),
>> PoolAction("privatezone"))
> That's why I suggest setting it up on a separate IP. You can even put
> it in a separate dnsdist instance if you prefer to keep things
> completely separate, but the above (untested) config would also just
> solve this for you.
>> But this would need a second selector which would be this NMG thing. How
>> can I combine that?
>> I also made a small matrix on what shall be done which which requests.
>> See attached image.
> You can make explicit rules to return REFUSED replies in the cases
> where you want that.
>
> Best regards,
>
> Jacob
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
--
Jochen Demmer
System- und Netzwerkspezialist
RelAix Networks GmbH
Auf der Hüls 172
52068 Aachen
Tel.: 0241 / 990001-206
Fax: 0241 / 990001-149
E-Mail: jdemmer at relaix.net
Internet: http://www.relaix.net/
Geschäftsführer: Thomas Neugebauer
Amtsgericht Aachen, HRB 15108
More information about the dnsdist
mailing list