[dnsdist] RES: Config for authoritative resolver and local recursive resolver
Roberto Greiner
roberto.greiner at fundunesp.org.br
Mon Mar 28 19:50:07 UTC 2022
I noticed that my setup didn't reply properly some external entity tried to do recursion, so I digged some more. Based on https://doc.powerdns.com/authoritative/guides/recursion.html, and modified my config to the following:
setLocal('0.0.0.0:53')
addLocal('[0::0]:53')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})
newServer({address='127.0.0.1:5302', pool='blackhole'})
newServer({address='<AD PDC ip address>:53', pool='ad'})
addAction({"addomain.internal."}, PoolAction("ad"))
addAction({"<undesired domain1>."}, PoolAction("blackhole"))
addAction({"<undesired domain2>."}, PoolAction("blackhole"))
recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('::1/128')
recursive_ips:addMask('fe80::/10')
recursive_ips:addMask('<ipv4 range>/24')
recursive_ips:addMask('<ipv6 range>/48')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
-- disable security status polling via DNS
setSecurityPollSuffix("")
-- Webserver. Based in https://dnsdist.org/guides/webserver.html
webserver("0.0.0.0:8083", "user", "somepass",{})
Is that a good config? Any suggestions on something else I should do?
Roberto Greiner
Informática-Fundunesp
[cid:image001.png at 01D842C2.E0943E90]
De: dnsdist <dnsdist-bounces at mailman.powerdns.com> Em nome de Roberto Greiner via dnsdist
Enviada em: segunda-feira, 28 de março de 2022 13:23
Para: dnsdist at mailman.powerdns.com
Assunto: [dnsdist] Config for authoritative resolver and local recursive resolver
Hi,
I have a setup of PowerDNS where I need to answer all queries for a domain I've registered (let's say mydomain.com). I also want to use the server to answer all requests (recursive or authoritative) originating from my local network. Since I use AD, some requisitions need to go the AD server (let's say addomain.internal). Last, I created a blacklist. The authoritative PowerDNS is running in localhost, port 5300, and the blacklist PowerDNS (which will answer 127.0.0.1 for anything) is in localhost port 5302.
I would like some opinions if the following setup for dnsdist.conf is adequate or if I should change something:
-- dnsdist configuration file, an example can be found in /usr/share/doc/dnsdist/examples/
setLocal('0.0.0.0:53')
addLocal('[0::0]:53')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5300', pool='reverse'})
newServer({address='127.0.0.1:5302', pool='blackhole'})
newServer({address='<ad PDC IP address>:53', pool='ad'})
newServer({address="8.8.8.8:53", pool="recursive"})
newServer({address="1.1.1.1:53", pool="recursive"})
-- My black list
addAction({"<undesired domain 1>."}, PoolAction("blackhole"))
addAction({"<undesired domain 2>."}, PoolAction("blackhole"))
addAction({"addomain.internal."}, PoolAction("ad"))
addAction({"mydomain.com."}, PoolAction("auth"))
-- My IP addresses. I have a class C (/24) IP4 and a /48 IP6
addAction({'3.2.1.in-addr.arpa'}, PoolAction("reverse"))
addAction({'d.c.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa'}, PoolAction("reverse"))
-- based in https://boisetech.org/2020/02/25/configuring-dnsdist-a-basic-config/
doh_ips=newNMG()
doh_ips:addMask('0.0.0.0/0')
doh_ips:addMask('::/0')
addAction(AndRule({NetmaskGroupRule(doh_ips, true), DSTPortRule(5053)}), PoolAction('recursive'))
recursive_ips=newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('::1/128')
recursive_ips:addMask('fe80::/10')
recursive_ips:addMask('1.2.3.0/24')
recursive_ips:addMask('123456789abcd::0/64')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursive'))
-- disable security status polling via DNS
setSecurityPollSuffix("")
-- Webserver. Based in https://dnsdist.org/guides/webserver.html
webserver("0.0.0.0:8083", "user", "somepass",{})
Is this setup adequate? Would someone suggest something different/better?
Tks,
Roberto Greiner
[cid:image001.png at 01D842C2.E0943E90]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220328/a15d0054/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18659 bytes
Desc: image001.png
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220328/a15d0054/attachment-0001.png>
More information about the dnsdist
mailing list