[Pdns-users] Running pdns alongside pdns-recursor on the same host

Oliver Kent admin at peerx.co
Thu Jun 7 10:20:15 UTC 2012


Sorry, I forgot to add. If you set an external recursor (like google), be
aware if you have an excessive amount of recursive queries, they may see
this as an attack. Although I haven't had any issues with doing it in the
past.

The authoritative server does not have forward zones functionality, the
recursor does.

Oli

On Thu, Jun 7, 2012 at 11:15 AM, Odhiambo Washington <odhiambo at gmail.com>wrote:

>
> This works dandy!
>
> Thanks.
>
>
> On Thu, Jun 7, 2012 at 1:04 PM, Oliver Kent <admin at peerx.co> wrote:
>
>> Sure, no problem. Here is what you need to set:
>>
>> allow-recursion= [subnets you want to allow to recurse, I think they are
>> comma seperate but it may be by space]
>> lazy-recursion=yes
>> recursor=127.0.0.1:54
>>
>> That should be it.
>>
>> Oli
>>
>> On Thu, Jun 7, 2012 at 10:48 AM, Odhiambo Washington <odhiambo at gmail.com>wrote:
>>
>>>
>>>
>>> On Thu, Jun 7, 2012 at 12:36 PM, Oliver Kent <admin at peerx.co> wrote:
>>>
>>>> I happen to disagree, since I know for a fact it is possible to run
>>>> both the authoritative server and recursor on the same IP address, I happen
>>>> to be doing that at the moment.
>>>>
>>>> Leave the authoritative server on port 53 and switch the recursor to
>>>> port 54 (or a random port not in use). Have the authoritative server
>>>> forward recursive queries to the recursor on your desired port (e.g
>>>> 127.0.0.1:54) and perhaps set lazy recursion as well. Thats it!
>>>>
>>>> Obviously, the problem with this method is that for each query that
>>>> comes in, the authoritative server will check for the domain first before
>>>> passing to the recursor, but thats where the cache comes in and I have
>>>> never really had a problem with it. I guess it depends on the amount of
>>>> domains you have.
>>>>
>>>> I also object to the suggestion that it is a bad idea to run both
>>>> servers on the same host. If anything, it increases security as you can
>>>> limit queries to the recursor to localhost and in turn, limit recursive
>>>> access to the outside world on the authoritative server.
>>>>
>>>> Just my two cents!
>>>>
>>>>
>>> Hi Oli,
>>>
>>> I intend to only allow my subnets to do recursion. I don't want to allow
>>> the whole planet to do that. They can rely on the authoritative server.
>>>
>>> Could you kindly supply me with a snippet of the options I need in
>>> pdns.conf so that it passes the queries to the recursor?
>>> I hope that allow-recursion=mysubnet/cidr will be used to control who is
>>> allowed to recurse.
>>>
>>> I can see recursor=192.168.40.252, but suppose recursor daemon is
>>> listening on port 54, how will I tell the authoritative daemon that?
>>>
>>>
>>> --
>>> Best regards,
>>> Odhiambo WASHINGTON,
>>> Nairobi,KE
>>> +254733744121/+254722743223
>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>>> I can't hear you -- I'm using the scrambler.
>>>
>>>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>
>>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> I can't hear you -- I'm using the scrambler.
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120607/d22d9049/attachment-0001.html>


More information about the Pdns-users mailing list