[dnsdist] what do you think of our dns concept?

[Jacob Bunk Nielsen]

Hi

On 12/03/2021 11.29, Jochen Demmer via dnsdist wrote:
> we're a small local provider and we're trying to renew our DNS 
> infrastructure. I humbly ask you to take a look at it and tell me what 
> you think of it.
>
> Every black box is a VM. There are supposed to be three authoritative 
> PowerDNS that use postgresql in the back, while there is a logical 
> replication originating from siteA. SiteA and SiteB are within our own 
> IP adress range, while site C ist a very different site outside of our AS.
> Every dnsdist instance is getting its own dedicated IP. There are 
> dnsdist for recursive requests and dnsdists for authoritative queries.
> Recursive dnsdist balances over three pdns recursors.

If you run a separate dnsdist for recursive DNS, why not run it together 
with the PowerDNS resolvers instead of mixing it with the authoritative 
DNS setup?

You don't have to run multiple dnsdist instances if you want to mix, you 
can split the queries based on their destination IPs, but I'd probably 
configure dnsdist to only talk to the local backends so you have 
instances that can operate independently.

> What's not in the graphic is an autoritative powerdns with no Domain 
> configured. We plan to redirect requests from IPs that are not 
> authorized querying some of our internal zones that we try to protect 
> and also abusive requests for example when a customer is under DDoS.

Why not answer directly from dnsdist in such cases? E.g. with a refused 
response or similar? Or simply drop the query and avoid participating in 
a reflection attack.

Best regards,

Jacob