[dnsdist] what do you think of our dns concept?

Rasto Rickardt rasto.rickardt at gmail.com
Fri Mar 12 13:29:53 UTC 2021


Frontend to backend:

1. You can do responses for malicious requests on dnsdist directly, do
not need to forward them to backend
2. If your configuration allows, use anycast between 3 sites (bird is a
quite good BGP speaker for this)
3. In backend you might split your authoritative and recursive
4. If split, you do not need to touch recursive backends servers so
often for operation and you can use different software vendors
(powerdns-recursor, knot-recursor, unbound) just to have different
maintenance window in case of bugs/upgrades. Single bug will not ruin
your whole backend.
5. For authoritative, i will avoid common table and replication, they
are prone to data corruption. You can run 1 master/supermaster server
and use different authoritative servers where you configure zones and
master server, rest is done with standard NOTIFY/AXFR, etc. mechanics or
just use generated flat files if you prefer so. You might run different
vendors as backend for authoritative (powerdns, knot) but there is more
work with operations for such a backend.
6. For private authoritative i will not mix it with public authoritative
and set up dedicated ones, forwarding rules in dnsdist will be more clear.

Hope this is more help than confusion :)


On 12/03/2021 11:29, Jochen Demmer via dnsdist wrote:
> Hi,
> we're a small local provider and we're trying to renew our DNS
> infrastructure. I humbly ask you to take a look at it and tell me what
> you think of it.
> Every black box is a VM. There are supposed to be three authoritative
> PowerDNS that use postgresql in the back, while there is a logical
> replication originating from siteA. SiteA and SiteB are within our own
> IP adress range, while site C ist a very different site outside of our AS.
> Every dnsdist instance is getting its own dedicated IP. There are
> dnsdist for recursive requests and dnsdists for authoritative queries.
> Recursive dnsdist balances over three pdns recursors.
> What's not in the graphic is an autoritative powerdns with no Domain
> configured. We plan to redirect requests from IPs that are not
> authorized querying some of our internal zones that we try to protect
> and also abusive requests for example when a customer is under DDoS.
> We also plan to offer our customers a slave mode so customers can send
> us our NOTIFY queries (black arrow).
> The green arrow represents Dynamic DNS update requests if a customer
> wants the possibility to update his records via rfc2136.
> Thank you very much in advance
> Jochen Demmer
> RelAix Networks GmbH
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list