[dnsdist] Config for authoritative resolver and local recursive resolver

Roberto Greiner roberto.greiner at fundunesp.org.br
Mon Mar 28 16:23:09 UTC 2022 

Hi,

I have a setup of PowerDNS where I need to answer all queries for a domain I've registered (let's say mydomain.com). I also want to use the server to answer all requests (recursive or authoritative) originating from my local network. Since I use AD, some requisitions need to go the AD server (let's say addomain.internal). Last, I created a blacklist. The authoritative PowerDNS is running in localhost, port 5300, and the blacklist PowerDNS (which will answer 127.0.0.1 for anything) is in localhost port 5302.

I would like some opinions if the following setup for dnsdist.conf is adequate or if I should change something:


-- dnsdist configuration file, an example can be found in /usr/share/doc/dnsdist/examples/
setLocal('0.0.0.0:53')
addLocal('[0::0]:53')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access

newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5300', pool='reverse'})
newServer({address='127.0.0.1:5302', pool='blackhole'})
newServer({address='<ad PDC IP address>:53', pool='ad'})
newServer({address="8.8.8.8:53", pool="recursive"})
newServer({address="1.1.1.1:53", pool="recursive"})

-- My black list
addAction({"<undesired domain 1>."}, PoolAction("blackhole"))
addAction({"<undesired domain 2>."}, PoolAction("blackhole"))

addAction({"addomain.internal."}, PoolAction("ad"))
addAction({"mydomain.com."}, PoolAction("auth"))
--  My IP addresses. I have a class C (/24) IP4 and a /48 IP6
addAction({'3.2.1.in-addr.arpa'}, PoolAction("reverse"))
addAction({'d.c.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa'}, PoolAction("reverse"))

-- based in https://boisetech.org/2020/02/25/configuring-dnsdist-a-basic-config/
doh_ips=newNMG()
doh_ips:addMask('0.0.0.0/0')
doh_ips:addMask('::/0')
addAction(AndRule({NetmaskGroupRule(doh_ips, true), DSTPortRule(5053)}), PoolAction('recursive'))

recursive_ips=newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('::1/128')
recursive_ips:addMask('fe80::/10')
recursive_ips:addMask('1.2.3.0/24')
recursive_ips:addMask('123456789abcd::0/64')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursive'))


-- disable security status polling via DNS
setSecurityPollSuffix("")

-- Webserver. Based in https://dnsdist.org/guides/webserver.html
webserver("0.0.0.0:8083", "user", "somepass",{})


Is this setup adequate? Would someone suggest something different/better?

Tks,

Roberto Greiner

[cid:image001.png at 01D842A2.7B95CE20]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220328/8f5826ab/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18659 bytes
Desc: image001.png
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220328/8f5826ab/attachment-0001.png>

More information about the dnsdist mailing list