[Pdns-users] Override some records
dav3860chom at yahoo.fr
Thu Apr 27 09:28:06 UTC 2017
We own a few domains for which our ISP is authoritative (let's say domain1.com & domain2.com). So it serves public IP addresses. We also have two internal DNS resolvers in our DMZ (192.168.10.0/24).
We would like them to resolve internet, but also fake some records in domain1.com & domain2.com. The reason is that we host servers, webservers for example, in the DMZ, and they are NATed behind public IP addresses. We want these records to be resolved as private IP addresses by our DNS resolvers, to be routable internally.
So if you are on the internet, our ISP servers answer with :web1.domain1.com -> 22.214.171.124other.domain1.com -> 126.96.36.199
If you are inside the LAN and query our DNS resolvers :web1.domain1.com -> 192.168.10.101 (overridden)other.domain1.com -> 188.8.131.52 (not faked)
We have been able to achieve this by using only PDNS Resolver as our internal resolver, and "export-etc-hosts". /etc/hosts would contain :192.168.10.101 web1.domain1.comIt works, as pdns resolver still would query the authoritative servers for domain1 records not in the /etc/hosts file.
However, this is not very satisfying, as :- we have many records to manage in hosts files- we need to manually keep hosts files in sync between our recursors
Would it be possible to install a PDNS authoritative server for domain1.com beside of PDNS recursor to achieve the same result ? It would allow to manage the records with a web GUI and use MySQL to keep the records in sync between the servers. The problem is that as soon as we set PowerDNS authoritative for domain1.com, it answers to web1.domain1.com with the private address, but with NXDOMAIN for other.domain1.com, and the recursor forwards this answer to the client, instead of querying the real authoritative servers (our ISP).
Could the "allow-recursion-override" setting help ? Is it possible to make this work ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users