[Pdns-users] Running pdns alongside pdns-recursor on the same host
Odhiambo Washington
odhiambo at gmail.com
Thu Jun 7 10:15:26 UTC 2012
This works dandy!
Thanks.
On Thu, Jun 7, 2012 at 1:04 PM, Oliver Kent <admin at peerx.co> wrote:
> Sure, no problem. Here is what you need to set:
>
> allow-recursion= [subnets you want to allow to recurse, I think they are
> comma seperate but it may be by space]
> lazy-recursion=yes
> recursor=127.0.0.1:54
>
> That should be it.
>
> Oli
>
> On Thu, Jun 7, 2012 at 10:48 AM, Odhiambo Washington <odhiambo at gmail.com>wrote:
>
>>
>>
>> On Thu, Jun 7, 2012 at 12:36 PM, Oliver Kent <admin at peerx.co> wrote:
>>
>>> I happen to disagree, since I know for a fact it is possible to run both
>>> the authoritative server and recursor on the same IP address, I happen to
>>> be doing that at the moment.
>>>
>>> Leave the authoritative server on port 53 and switch the recursor to
>>> port 54 (or a random port not in use). Have the authoritative server
>>> forward recursive queries to the recursor on your desired port (e.g
>>> 127.0.0.1:54) and perhaps set lazy recursion as well. Thats it!
>>>
>>> Obviously, the problem with this method is that for each query that
>>> comes in, the authoritative server will check for the domain first before
>>> passing to the recursor, but thats where the cache comes in and I have
>>> never really had a problem with it. I guess it depends on the amount of
>>> domains you have.
>>>
>>> I also object to the suggestion that it is a bad idea to run both
>>> servers on the same host. If anything, it increases security as you can
>>> limit queries to the recursor to localhost and in turn, limit recursive
>>> access to the outside world on the authoritative server.
>>>
>>> Just my two cents!
>>>
>>>
>> Hi Oli,
>>
>> I intend to only allow my subnets to do recursion. I don't want to allow
>> the whole planet to do that. They can rely on the authoritative server.
>>
>> Could you kindly supply me with a snippet of the options I need in
>> pdns.conf so that it passes the queries to the recursor?
>> I hope that allow-recursion=mysubnet/cidr will be used to control who is
>> allowed to recurse.
>>
>> I can see recursor=192.168.40.252, but suppose recursor daemon is
>> listening on port 54, how will I tell the authoritative daemon that?
>>
>>
>> --
>> Best regards,
>> Odhiambo WASHINGTON,
>> Nairobi,KE
>> +254733744121/+254722743223
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> I can't hear you -- I'm using the scrambler.
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
I can't hear you -- I'm using the scrambler.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120607/6137bd37/attachment-0001.html>
More information about the Pdns-users
mailing list