[Pdns-users] DiG: Hopefully Final Thoughts..
Brian Candler
b.candler at pobox.com
Fri Feb 17 08:15:03 UTC 2017
On 17/02/2017 06:45, stancs3 wrote:
> Reverse doesn't work in this config, so I figure on giving up on
> recursor.
What do you mean by "reverse doesn't work"? Can you give a specific
example of what you did, what you saw, and what you expected to see?
Reverse is just another domain (under in-addr.arpa), no different to any
other.
> I can either use my router's recursor, or perhaps set up a pdns-
> recursor on a different VM to keep it clean. Wouldn't that be the
> same/better than the router's?
Most routers' built-in DNS is pretty poor - little more than a caching
forwarder to an upstream DNS (like dnsmasq), so having your own
pdns-recursor is likely to be much better.
If you want your authoritative DNS to be visible to the outside world
for real delegation, then it needs to listen on port 53. If you want
your recursive DNS to be usable by local clients, then it also needs to
listen on port 53, since most clients can't be (easily) configured to
send their DNS queries to a different port.
So, to run both auth and recursive, you need to assign two IP addresses.
Those can either be two different VMs (maximum separation), two
different containers, or even two different IPs in the same machine,
where the pns-auth and pdns-recursor processes are configured to bind to
(listen on) a different individual IP address.
You could try fancy tricks with dns-dist in front, but personally I'd
just go for the two VMs or two containers.
Don't forget redundancy. For authoritative DNS you'll want another
nameserver on a completely different backbone (see RFC2182). For client
redundancy, two local recursors is what you want.
HTH,
Brian.
More information about the Pdns-users
mailing list