[Pdns-users] Recursor / pdns installation help

Patrick Coffin patrick at islandtechnologies.net
Wed Dec 22 21:22:40 UTC 2010 

Leen,

Hopefully a few last questions and I will attempt to keep it brief.  I am just having confusion on how to get the recursor servers to lookup from pdns with my configuration.  I get that being authoritative for a domain will initiate a lookup to the defined dns server.  How do I get a lookup and not expose the pdns software to the net and get the answers through recursor.

Currently this is my setup:

Each of my dns servers runs pdns and each has a slave copy of the master pdns mysql database and in turn each server looks up the dns locally via mysql.  This has been working great for 2 years.

The problem each server is running pdns which has a DOS vulnerability. which is why I am upgrading to implement recursor.
ns1@	mydomain.com - on server 1
ns2 at mydomain.com - on server 2
ns3 at mydomain.com - on server 3
ns3 at mydomain.com - on server 4

Also for testing I have ns5 setup on a new server running both pdns(5300) and recursor (53).  The pdns software from my research and security testing still has the DOS issue.  So when recursor is on ns5 responding to port 53 requests it passes the security testing.


New Setup question:

My plan is to install recursor on each of the ns1,ns2,ns3, and ns4 servers and then install pdns onto the fifth server (currently ns5).  Should pdns on each be responding to port 53 requests only from ns1-4 on port 53?  In doing this then I only have one databases connection supporting the ns1-4 servers and now do not need the mysql slaves on each server.  Currently all my hosting domains are pointing to ns1-4.

So does each server ns1-4 need a forward definition to lookup on the ns5 pdns server to get the authoritative response?

I was hoping to keep the data local to each server. Since I set it up originally this way the dns servers have been running great.  I am attempting to avoid a single point of failure with my setup.

Thanks in advance.  Like I said previously I think I am just missing a piece of the pie to get it all together.

Patrick




On Dec 22, 2010, at 3:00 AM, pdns-users-request at mailman.powerdns.com wrote:

> From: Leen Besselink <leen at consolejunkie.net>
> Subject: Re: [Pdns-users] Recursor / pdns installation help
> To: pdns-users at mailman.powerdns.com
> Message-ID: <4D1145F4.1080909 at consolejunkie.net>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> On 12/21/2010 09:09 PM, Patrick Coffin wrote:
>> Leen,
>> 
>> Thanks for the reply.  We are hosting 1000's of dns records so
>> entering them in the forwards is not at option.
>> 
>> I will take your advise to split the pdns and recursor to separate
>> servers.
>> 
>> Should I expect that if I move the pdns to a separate server that the
>> looks up will work correctly with the information I have given?  I
>> would move pdns back to port 53 and keep it connected to mysql for
>> lookups.
>> 
>> I would like it to be setup that recursor queries the pdns server and
>> database if we are authoritative for the domain. Otherwise recursor
>> should looks to the authoritative server for the answer.
>> 
> 
> If the pdns server is authoritive for the domain, every recursor in the
> world will look at your pdns server when it want to ask about that
> domain. Because the root and TLD will point them to your pdns server.
> 
> Thus so will your own recursor.
> 
> I suggest you set up a few domains in your recursor to point to your
> pdns for the domains. The few domains you use internally (don't forget
> your reverse DNS blocks).
> 
> Just in case you lose connectivity to the outside world and the external
> root/TLD-servers can't be reached.
> 
>> Is there another resource that I can reference for this setup?  I
>> believe I am just missing one or two pieces to get it working properly.
>> 
> 
> Well, I hope the above makes sense to you. Atleast if that is the setup
> you want then it should not need any other configuration then what I
> mentioned above.
> 
>> I appreciate the help!
>> 
>> Thanks,
>> Patrick
>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20101222/e535af70/attachment-0001.html>

More information about the Pdns-users mailing list