[Pdns-users] Recursor / pdns installation help

[Leen Besselink]

Hello Patrick,
> Each of my dns servers runs pdns and each has a slave copy of the
> master pdns mysql database and in turn each server looks up the dns
> locally via mysql.  This has been working great for 2 years.
>
> The problem each server is running pdns which has a DOS vulnerability.
> which is why I am upgrading to implement recursor.
> ns1 at mydomain.com <http://mydomain.com> - on server 1
> ns2 at mydomain.com <http://mydomain.com> - on server 2
> ns3 at mydomain.com <http://mydomain.com> - on server 3
> ns3 at mydomain.com <mailto:ns3 at mydomain.com> - on server 4
>
Sounds like you are trying to solve this problem the wrong way.

A recursor can not act as an authoritive server for a domain, when
serving domains, you need an authoritive servers like pdns (for example:
bind may combine the 2 functions into one server, but it can also by
default not be authoritive for domains it does not have the data for).

If you are worried about mysql being to slow to handle a DOS attack, you
should eliminate the database on (some of) the public servers

1. you should use something like the "bind-zone file backend" (files on
disk, instead of database) on those servers, that should be the fastest

2. those servers would be slave servers, the server with the database is
the master server

I thought I could recommend superslave operation where new domains are
automatically recognised and added, but it seems like that is not
supported on the file backend.

Bert: it looks like the option exists in the code, but it is not in the
documentation on http://doc.powerdns.com/ ?:

supermaster-config: Location of (part of) named.conf where pdns can
write zone-statements to
supermasters: List of IP-addresses of supermasters
supermaster-destdir: Destination directory for newly added slave zones

PS with superslaves, domains are not deleted, you should create a script
for that.