[Pdns-users] Please validate my PowerDNS Infrastucture proposal

Steven Crandell steven.crandell at gmail.com
Sun Oct 18 23:41:30 UTC 2009 

On Sun, Oct 18, 2009 at 3:50 PM, Barron, Josh <jbarron at afsnetworks.com>wrote:

> I think I have it understood.  I just setup the public DNS servers to
> replicate the stealth master DNS server; everything else is resolved at the
> database layer.  The only vulnerability is that if my primary database is
> corrupted or compromised, the 4 public servers are instantly invalid.
>

As it relates to a compromise, super master setups are similarly vulnerable.
The only difference is that if your master is compromised, the bad data will
be pushed out to slaves via AXFR updates rather than db replication.
Depending on how you're looking at the situation, it might be worth
mentioning that a properly configured PDNS instance does not expose the
database to public scrutiny .  Therefore, in either scenario, an attacker
must compromise PDNS itself.

As it relates to corruption: Using a super master setup will only save you
if the corruption on the master actually prevents AXFR's from being
trasmitted properly (e.g. on-disk file corruption etc).  In that case your
slaves will hum along happily with valid, if stale, data.  In practice, most
data "corruption" tends to be a result of an authorized operator
accidentally issuing something along the lines of:
DELETE FROM records;
In this situation there's little if any difference between the time periods
when a db replicated setup vs. a super master setup will reflect the bad
data.
Web frontends and transactions are the answer here.

The ultimate decision maker for me was the fact that PDNS won't perform AXFR
updates to hosts that are not listed as NS hosts in the master DB.  This
made it (close to) impossible for me to use master-slave or super master
configurations that push updates to reserved/VPN'd IP addresses.

While slightly counter-intuitive, native db replication is, in my opinion,
the least complicated method for keeping multiple PDNS hosts in sync.



>
> Last question for now, do I do anything special with PDNS on the "public"
> name servers, or do I just set them up normally...
>

This is fairly open ended but here's some thoughts for consideration:

- set your version-string to anonymouse
- ensure your pdns webserver is off, or protected by a firewall
- use chroot
- make sure you are not providing recusion to the entire internet
(allow-recursion=<specific ip/nets>)
- if you're using db replication you can disable-axfr=yes
- you should also be able to: disable-tcp=yes



>
> -Josh
>
>
> -----Original Message-----
> From: Baird, Josh [mailto:jbaird at follett.com]
> Sent: Sun 10/18/2009 4:41 PM
> To: Barron, Josh; Patrick Domack; Pdns-users at mailman.powerdns.com
> Subject: RE: [Pdns-users] Please validate my PowerDNS Infrastucture
> proposal
>
> In a sense, you are are deploying a stealth master -- one that the outside
> world cannot directly query, and one that does not appear in the RRset of
> your domains (therefore making it "stealth").
>
> One option:
>
> Assuming that you are using a SQL based backend, you can make all changes
> on your stealth master.  These changes are then replicated (using MySQL
> replication, etc) to the four public DNS servers.  No need for AXFR zone
> transfers or anything.. everything is handled at the database layer.
>
> Josh
>
> ________________________________
>
> From: pdns-users-bounces at mailman.powerdns.com on behalf of Barron, Josh
> Sent: Sun 10/18/2009 5:04 PM
> To: Patrick Domack; Pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] Please validate my PowerDNS Infrastucture
> proposal
>
>
>
> Maybe I'm confused about the concepts.
> The idea is to make the publicly available name servers slaves to the
> master (which doesn't respond to public queries).  If I use database
> replication, won't it just replicate the entire database, requiring all the
> servers to be masters?
>
>
>
>
> -----Original Message-----
> From: Patrick Domack [mailto:patrickdk at patrickdk.com]
> Sent: Sun 10/18/2009 12:59 PM
> To: Barron, Josh
> Subject: Re: [Pdns-users] Please validate my PowerDNS Infrastucture
> proposal
>
> I would question the usage of using superslave, unless you have other
> master servers that don't run powerdns somewhere.
>
> I would personally just use the built in database replication to
> distribute updates, then depending on superslave, it will cause less
> updates to happen (just the record that changed, vs the whole domain)
> and is much easier to secure.
>
>
> Quoting "Barron, Josh" <jbarron at afsnetworks.com>:
>
> >
> > Hello all,
> >
> > Please validate my proposed PDNS based infrastucture:
> >
> > Customers (and internal support technicians) will login to "PowerDNS
> > on Rails" or "PowerAdmin" Frontend server.  This server will host
> > PDNS (not PDNS-Recursor) but will not respond to DNS queries from
> > the Internet.  Its only access from behind the firewall will be
> > web-based for domain administration.
> > 4 other servers, geographically distributed, will be used to run
> > PDNS and PDNS-Recursor.  I would like them configured in possibly a
> > superslave configuration.  Basically what I'm looking for is when
> > the "Master" server described above creates a new domain or updates
> > a domain, it sends notifies to the slaves to update or add the zone.
> >  I want the name servers that respond to DNS queries to be slave
> > servers and precursors only to try to mitigate any possible poisoning.
> >
> > What am I missing, if anything?  Any feedback or suggestions, even
> > criticism, is welcome.  We are trying to create a geographically
> > diverse, secure, and reliable DNS infrastructure for us and our
> > customers.  We are migrating from a dual server setup (West running
> > Bind 9, East running Men&Mice).
> >
> > Thanks!
> > -Josh
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
>
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20091018/ad947547/attachment-0001.html>

More information about the Pdns-users mailing list