[Pdns-users] DiG: Hopefully Final Thoughts..

[Brian Candler]

On 17/02/2017 06:45, stancs3 wrote:
> Reverse doesn't work in this config, so I figure on giving up on
> recursor.
What do you mean by "reverse doesn't work"? Can you give a specific 
example of what you did, what you saw, and what you expected to see?

Reverse is just another domain (under in-addr.arpa), no different to any 
other.
> I can either use my router's recursor, or perhaps set up a pdns-
> recursor on a different VM to keep it clean. Wouldn't that be the
> same/better than the router's?

Most routers' built-in DNS is pretty poor - little more than a caching 
forwarder to an upstream DNS (like dnsmasq), so having your own 
pdns-recursor is likely to be much better.

If you want your authoritative DNS to be visible to the outside world 
for real delegation, then it needs to listen on port 53. If you want 
your recursive DNS to be usable by local clients, then it also needs to 
listen on port 53, since most clients can't be (easily) configured to 
send their DNS queries to a different port.

So, to run both auth and recursive, you need to assign two IP addresses. 
Those can either be two different VMs (maximum separation), two 
different containers, or even two different IPs in the same machine, 
where the pns-auth and pdns-recursor processes are configured to bind to 
(listen on) a different individual IP address.

You could try fancy tricks with dns-dist in front, but personally I'd 
just go for the two VMs or two containers.

Don't forget redundancy. For authoritative DNS you'll want another 
nameserver on a completely different backbone (see RFC2182). For client 
redundancy, two local recursors is what you want.

HTH,

Brian.