[dnsdist] what do you think of our dns concept?
Jacob Bunk Nielsen
jbn at one.com
Fri Mar 12 11:00:46 UTC 2021
On 12/03/2021 11.29, Jochen Demmer via dnsdist wrote:
> we're a small local provider and we're trying to renew our DNS
> infrastructure. I humbly ask you to take a look at it and tell me what
> you think of it.
> Every black box is a VM. There are supposed to be three authoritative
> PowerDNS that use postgresql in the back, while there is a logical
> replication originating from siteA. SiteA and SiteB are within our own
> IP adress range, while site C ist a very different site outside of our AS.
> Every dnsdist instance is getting its own dedicated IP. There are
> dnsdist for recursive requests and dnsdists for authoritative queries.
> Recursive dnsdist balances over three pdns recursors.
If you run a separate dnsdist for recursive DNS, why not run it together
with the PowerDNS resolvers instead of mixing it with the authoritative
You don't have to run multiple dnsdist instances if you want to mix, you
can split the queries based on their destination IPs, but I'd probably
configure dnsdist to only talk to the local backends so you have
instances that can operate independently.
> What's not in the graphic is an autoritative powerdns with no Domain
> configured. We plan to redirect requests from IPs that are not
> authorized querying some of our internal zones that we try to protect
> and also abusive requests for example when a customer is under DDoS.
Why not answer directly from dnsdist in such cases? E.g. with a refused
response or similar? Or simply drop the query and avoid participating in
a reflection attack.
More information about the dnsdist