[dnsdist] Simple setup with authoritative server

Roberto Greiner roberto.greiner at fundunesp.org.br
Fri Nov 6 13:12:24 UTC 2020 

Oops.

A small correction. In the "addLocal" directive below, the IPv6 address
I posted is wrong. The correct entry would be:

addLocal('[0::0]:53')

On 05/11/2020 10:00, Roberto Greiner via dnsdist wrote:
>
> Since I posted this, no one answered helping, so yesterday I made some
> new tests, searched new documentation and found how to make this work.
> My final configuration became like this:
>
>
> setLocal('0.0.0.0:53')
> addLocal('0::0:64')
> setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
>
> newServer({address='127.0.0.1:5300', pool='auth'})
> newServer({address='127.0.0.1:5300', pool='reverse'})
> newServer({address='127.0.0.1:5301', pool='recursor'})
> newServer({address='127.0.0.1:5302', pool='blackhole'})
>
> recursive_ips = newNMG()
> recursive_ips:addMask('<my IPv4 network>') -- These network masks are
> the ones from allow-recursion in the Authoritative Server
> recursive_ips:addMask('<my IPv6 network>')
>
> -- I was having problems with spammers from this domain. This can be
> ignored for this example
> addAction({"typeform.com."}, PoolAction("blackhole"))
>
> -- My reverse. Add the proper numbers for your network
> addAction({'c.b.a.in-addr.arpa'}, PoolAction("auth"))
> addAction({'l.k.j.i.h.g.f.e.d.c.b.a.ip6.arpa'}, PoolAction("auth"))
>
>
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
>
> -- disable security status polling via DNS
> setSecurityPollSuffix("")
>
> I sanitized my network addresses, obviously. I hope this works as a
> template for others with the same problem.
>
> Roberto
>
>
> On 27/08/2020 15:45, Roberto Greiner via dnsdist wrote:
>>
>> Hi,
>>
>> I'm trying to set a simple authoritative server that is also a
>> recursive server for my network. The idea is that for my domain (lets
>> say domain.com), I want the server the answer with the aa flag
>> enabled, and for my IP ranges it should answer with the addresses in
>> the database. Everything else should be send to the recursive server.
>>
>> So, I've set powerdns on localhost:5300, with MySQL backend and using
>> nsedit to edit my domains. This is working (the full config is below).
>>
>> I've set powerdns-recursive on localhost:5301 to answer the recursive
>> requests (full config also below).
>>
>> Last, I've set dnsdist to <myIP>:53. The idea is that DNS requests
>> asking for <domain.com>, <myip4> and <myip6> should go to powerdns.
>> Everything else should go to powerdns-recursor. Simple, I guess. My
>> problem is that I'm confused with the dnsdist config, so I would like
>> to ask what I should add in there. So far, my config is the following:
>>
>> setLocal('0.0.0.0:53')
>> addLocal('0::0:64')
>> setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
>> newServer({address='127.0.0.1:5300', pool='auth'})
>> newServer({address='127.0.0.1:5301', pool='recursor'})
>> recursive_ips = newNMG()
>> recursive_ips:addMask('0.0.0.0/0') -- These network masks are the
>> ones from allow-recursion in the Authoritative Server
>> recursive_ips:addMask('::0/0')
>> addAction({"<mydomain>."}, PoolAction("auth"))
>> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
>> addAction(AllRule(), PoolAction('auth'))
>> -- disable security status polling via DNS
>> setSecurityPollSuffix("")
>>
>> This work, but only for the domain. Queries for my ip addresses are
>> being sent to the recursor. If I replace the
>> 'addAction({"<mydomain>."}, PoolAction("auth"))' with
>>
>> addAction({"<mydomain>.", "<myip6range>", "myip4range"},
>> PoolAction("auth"))
>>
>> Nothing is sent to the authoritative server; The right setup is
>> probably simple, but I can't figure what it should be. Could somebody
>> give me a hand?
>>
>> Thanks,
>>
>> Roberto
>>
>>
>> PS: I'm using Ubuntu 20.04, pdns 4.2.1-1, installed via apt. dnsdist
>> is version 1.4.0, also using apt. My setup for pdns is:
>>
>> api=yes
>> api-key=<some key>
>> include-dir=/etc/powerdns/pdns.d
>> launch=gmysql
>> gmysql-host=127.0.0.1
>> gmysql-user=powerdns
>> gmysql-dbname=powerdns
>> gmysql-password=<some password>
>> gmysql-dnssec=yes
>> local-address=127.0.0.1
>> local-ipv6=::1
>> local-port=5300
>> security-poll-suffix=
>> setgid=pdns
>> setuid=pdns
>> webserver=yes
>>
>> My recursor.conf is:
>>
>> allow-from=0.0.0.0/0 ::0/0
>> config-dir=/etc/powerdns
>> forward-zones=<mydomain>=127.0.0.1:5300
>> hint-file=/usr/share/dns/root.hints
>> include-dir=/etc/powerdns/recursor.d
>> local-address=127.0.0.1, ::1
>> local-port=5301
>> lua-config-file=/etc/powerdns/recursor.lua
>> public-suffix-list-file=/usr/share/publicsuffix/public_suffix_list.dat
>> quiet=yes
>> security-poll-suffix=
>> setgid=pdns
>> setuid=pdns
>>
>>
>>
>> -- 
>>
>>
>> ------------------------------------------------------------------------
>> Logotipo da AVG <http://www.avg.com/internet-security> 	
>>
>> Este email foi verificado quanto a vírus pelo software AVG AntiVirus.
>> www.avg.com <http://www.avg.com/internet-security>
>>
>>
>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/dnsdist
> -- 
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-- 


-- 
Este e-mail foi verificado quanto a vírus pelo AVG.
http://www.avg.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20201106/5eff4af5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MarcosRobertoGreiner.jpg
Type: image/jpeg
Size: 11274 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20201106/5eff4af5/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MarcosRobertoGreiner.jpg
Type: image/jpeg
Size: 14867 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20201106/5eff4af5/attachment-0003.jpg>

More information about the dnsdist mailing list