[Pdns-users] Problems with PowerDNS

ktm at rice.edu ktm at rice.edu
Wed Nov 11 14:02:57 UTC 2015 

On Wed, Nov 11, 2015 at 04:15:18PM +0400, Nadir M. Aliyev wrote:
> Dear All Thanks for your reply!
> 
> I understand keeping authoritative and recursive services separated is strongly recommended. Ok.
> 
> I understand that I must set for my customers (approx. 200k) powerdns recursive service as DNS?
> 
> If yes in this case I must change my authorative servers ip's and its not good idea for my hosting customers.
> Also I cant limit recursion on separated pdns recursive service for external ips via allow-recursion.
> 
> 
> Currently I'm using Bind but managing a lot of bind servers is not comfortable. So I choosed powerdns + mysql replication + heartbeat.
> 
> 
> Any ideas or I wrong? :-)
> 
> Thanks
> Nadir
> 

Hi Nadir,

For historical reasons, we had our recursive DNS and authoritative DNS on the
same host/IP. We used iptables to pass local IP-space connections to the pdns-recursor
and external IPs directly to the pdns authoritative server. We even run a second pdns
instance to support split horizon DNS. Here is a snippit from the iptables that does
the work:


######################################################################
# Allow local hosts to access the recursive name server on post 53.
# Pass non-local hosts to authoritative name server on port 553.
######################################################################

*nat
:DNS-ROUTE - [0:0]

## We will only affect in-coming traffic to port 53:
-A PREROUTING -p udp --dport 53 -j DNS-ROUTE
-A PREROUTING -p tcp --dport 53 -j DNS-ROUTE

## Let local hosts access the recursor (on post 53):
## Add similar lines for any local address spaces
-A DNS-ROUTE -s 10.0.0.0/8       -j ACCEPT
-A DNS-ROUTE -s 192.168.0.0/16   -j ACCEPT
-A DNS-ROUTE -s 172.16.0.0/16    -j ACCEPT

## Divert all others to the authoritative server on port 553:
-A DNS-ROUTE -p udp -m udp -j DNAT --to-destination :553
-A DNS-ROUTE -p tcp -m tcp -j DNAT --to-destination :553

This is for a Linux system, but it should be similar for others as well.

Regards,
Ken

More information about the Pdns-users mailing list