[Pdns-users] Need a solution to use an resolver for external CNAME's

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Wed Sep 14 12:22:28 UTC 2016


Yes sure.

For that you need the Authoritative un public IP with the "allow-recursion" disabled, and the recursor configured as I told you, with the "allow-from=127.0.0.0/8,192.168.0.0/16,172.16.0.0/16 ... you know ... your internal netmasks"

Another thing you can do to improve the performance on the recursor is to enable the forward-zones directly to your auth server.
Like ... forward-zones=mydomain1.com=AuthServerIP1;AuthServerIP2,mydomain2.com= AuthServerIP1;AuthServerIP2
Just to avoid have to wait until any change on your domain were replicated to the root servers.

Which external CNAME?

Ale

From: Michael Hasenburger [mailto:Michael.Hasenburger at marel.at]
Sent: miércoles, 14 de septiembre de 2016 12:08
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>; pdns-users at mailman.powerdns.com
Subject: AW: Need a solution to use an resolver for external CNAME's

> I have note very clear what you are looking for .... It seems you need an Authoritative for your domains (which can be queried by everyone) and also a recursor for internal use only.

Yes, that's exactly what we want.

Actually our DNS server is fully opened and we got an information from cert-bund.de that we're frail for a DNS Amplification attack. My idea is to close the recursor for public. But it doesn't query external CNAME for example.

Is it possible to configure?

Thank you very much.

BR Mike


Von: Alejandro Adroher Mellado [mailto:alejandro.adroher at omniaccess.com]
Gesendet: Mittwoch, 14. September 2016 11:48
An: Michael Hasenburger; pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>
Betreff: RE: Need a solution to use an resolver for external CNAME's

Hi,
A resolver by definition goes to the root servers to find answers to the queries received.
If you want to ask for an external CNAME, you need a recursor, but using f.e. the "allow-from=172.16.0.0/16" (being this your internal network), close your recursor service to the external world. You could use it, but I'm not.

You say:
"We want a public DNS server, but resolve queries for existing database entries only. Seems not possible to configure."
For that having only an Authoritative Service is enough.

I have note very clear what you are looking for .... It seems you need an Authoritative for your domains (which can be queried by everyone) and also a recursor for internal use only.

Can you clarify this for me?

XD

Ale


From: Michael Hasenburger [mailto:Michael.Hasenburger at marel.at]
Sent: miércoles, 14 de septiembre de 2016 11:34
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com<mailto:alejandro.adroher at omniaccess.com>>; pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>
Subject: AW: Need a solution to use an resolver for external CNAME's

Hi Ale,

I also configured pdns-resolver with allow-from localhost, but it does resolve all request from powerdns.
We want a public DNS server, but resolve queries for existing database entries only. Seems not possible to configure.

BR Mike


Von: Alejandro Adroher Mellado [mailto:alejandro.adroher at omniaccess.com]
Gesendet: Mittwoch, 14. September 2016 10:48
An: EDV-Techniker; pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>
Betreff: RE: Need a solution to use an resolver for external CNAME's

Hi Mike,

Use ACL to close your resolver

allow-from=your internal allowed netmasks

Ale

From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of EDV-Techniker
Sent: miércoles, 14 de septiembre de 2016 10:08
To: pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>
Subject: [Pdns-users] Need a solution to use an resolver for external CNAME's

Hi,

we want using a nameserver for our domains only. I can be done without configure a resolver. Works fine but if query f.e. an external CNAME, which A record doesn't exist at our database, then PowerDNS doesn't resolve.

Using a resolver does solve this problem. But now the DNS server is open and frail for attacks.

Is there a solution to use an resolver to query existing database entries only?

BR Mike
MAREL IT solutions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160914/314467f2/attachment.html>


More information about the Pdns-users mailing list