[dnsdist] Simple setup with authoritative server

Roberto Greiner roberto.greiner at fundunesp.org.br
Thu Nov 5 13:00:18 UTC 2020 

Since I posted this, no one answered helping, so yesterday I made some
new tests, searched new documentation and found how to make this work.
My final configuration became like this:


setLocal('0.0.0.0:53')
addLocal('0::0:64')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access

newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5300', pool='reverse'})
newServer({address='127.0.0.1:5301', pool='recursor'})
newServer({address='127.0.0.1:5302', pool='blackhole'})

recursive_ips = newNMG()
recursive_ips:addMask('<my IPv4 network>') -- These network masks are
the ones from allow-recursion in the Authoritative Server
recursive_ips:addMask('<my IPv6 network>')

-- I was having problems with spammers from this domain. This can be
ignored for this example
addAction({"typeform.com."}, PoolAction("blackhole"))

-- My reverse. Add the proper numbers for your network
addAction({'c.b.a.in-addr.arpa'}, PoolAction("auth"))
addAction({'l.k.j.i.h.g.f.e.d.c.b.a.ip6.arpa'}, PoolAction("auth"))


addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))

-- disable security status polling via DNS
setSecurityPollSuffix("")

I sanitized my network addresses, obviously. I hope this works as a
template for others with the same problem.

Roberto


On 27/08/2020 15:45, Roberto Greiner via dnsdist wrote:
>
> Hi,
>
> I'm trying to set a simple authoritative server that is also a
> recursive server for my network. The idea is that for my domain (lets
> say domain.com), I want the server the answer with the aa flag
> enabled, and for my IP ranges it should answer with the addresses in
> the database. Everything else should be send to the recursive server.
>
> So, I've set powerdns on localhost:5300, with MySQL backend and using
> nsedit to edit my domains. This is working (the full config is below).
>
> I've set powerdns-recursive on localhost:5301 to answer the recursive
> requests (full config also below).
>
> Last, I've set dnsdist to <myIP>:53. The idea is that DNS requests
> asking for <domain.com>, <myip4> and <myip6> should go to powerdns.
> Everything else should go to powerdns-recursor. Simple, I guess. My
> problem is that I'm confused with the dnsdist config, so I would like
> to ask what I should add in there. So far, my config is the following:
>
> setLocal('0.0.0.0:53')
> addLocal('0::0:64')
> setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
> newServer({address='127.0.0.1:5300', pool='auth'})
> newServer({address='127.0.0.1:5301', pool='recursor'})
> recursive_ips = newNMG()
> recursive_ips:addMask('0.0.0.0/0') -- These network masks are the ones
> from allow-recursion in the Authoritative Server
> recursive_ips:addMask('::0/0')
> addAction({"<mydomain>."}, PoolAction("auth"))
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
> -- disable security status polling via DNS
> setSecurityPollSuffix("")
>
> This work, but only for the domain. Queries for my ip addresses are
> being sent to the recursor. If I replace the
> 'addAction({"<mydomain>."}, PoolAction("auth"))' with
>
> addAction({"<mydomain>.", "<myip6range>", "myip4range"},
> PoolAction("auth"))
>
> Nothing is sent to the authoritative server; The right setup is
> probably simple, but I can't figure what it should be. Could somebody
> give me a hand?
>
> Thanks,
>
> Roberto
>
>
> PS: I'm using Ubuntu 20.04, pdns 4.2.1-1, installed via apt. dnsdist
> is version 1.4.0, also using apt. My setup for pdns is:
>
> api=yes
> api-key=<some key>
> include-dir=/etc/powerdns/pdns.d
> launch=gmysql
> gmysql-host=127.0.0.1
> gmysql-user=powerdns
> gmysql-dbname=powerdns
> gmysql-password=<some password>
> gmysql-dnssec=yes
> local-address=127.0.0.1
> local-ipv6=::1
> local-port=5300
> security-poll-suffix=
> setgid=pdns
> setuid=pdns
> webserver=yes
>
> My recursor.conf is:
>
> allow-from=0.0.0.0/0 ::0/0
> config-dir=/etc/powerdns
> forward-zones=<mydomain>=127.0.0.1:5300
> hint-file=/usr/share/dns/root.hints
> include-dir=/etc/powerdns/recursor.d
> local-address=127.0.0.1, ::1
> local-port=5301
> lua-config-file=/etc/powerdns/recursor.lua
> public-suffix-list-file=/usr/share/publicsuffix/public_suffix_list.dat
> quiet=yes
> security-poll-suffix=
> setgid=pdns
> setuid=pdns
>
>
>
> -- 
>
>
> ------------------------------------------------------------------------
> Logotipo da AVG <http://www.avg.com/internet-security> 	
>
> Este email foi verificado quanto a vírus pelo software AVG AntiVirus.
> www.avg.com <http://www.avg.com/internet-security>
>
>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-- 


-- 
Este e-mail foi verificado quanto a vírus pelo AVG.
http://www.avg.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20201105/e999b18f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MarcosRobertoGreiner.jpg
Type: image/jpeg
Size: 11274 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20201105/e999b18f/attachment-0001.jpg>

More information about the dnsdist mailing list