[Pdns-users] DiG: Hopefully Final Thoughts..

stancs3 scruise56 at gmail.com
Fri Feb 17 18:43:58 UTC 2017

Many thanks for your comprehensive replies.

I have a number of paths to explore now and will head off to do some
more careful testing.

If I need further advice I will make sure to include a better set of
test results.

I certainly have more confidence in getting to a solution that works
for me, given the support of this forum.


On Fri, 2017-02-17 at 08:15 +0000, Brian Candler wrote:
> On 17/02/2017 06:45, stancs3 wrote:
> > 
> > Reverse doesn't work in this config, so I figure on giving up on
> > recursor.
> What do you mean by "reverse doesn't work"? Can you give a specific 
> example of what you did, what you saw, and what you expected to see?
> Reverse is just another domain (under in-addr.arpa), no different to
> any 
> other.
> > 
> > I can either use my router's recursor, or perhaps set up a pdns-
> > recursor on a different VM to keep it clean. Wouldn't that be the
> > same/better than the router's?
> Most routers' built-in DNS is pretty poor - little more than a
> caching 
> forwarder to an upstream DNS (like dnsmasq), so having your own 
> pdns-recursor is likely to be much better.
> If you want your authoritative DNS to be visible to the outside
> world 
> for real delegation, then it needs to listen on port 53. If you want 
> your recursive DNS to be usable by local clients, then it also needs
> to 
> listen on port 53, since most clients can't be (easily) configured
> to 
> send their DNS queries to a different port.
> So, to run both auth and recursive, you need to assign two IP
> addresses. 
> Those can either be two different VMs (maximum separation), two 
> different containers, or even two different IPs in the same machine, 
> where the pns-auth and pdns-recursor processes are configured to bind
> to 
> (listen on) a different individual IP address.
> You could try fancy tricks with dns-dist in front, but personally
> I'd 
> just go for the two VMs or two containers.
> Don't forget redundancy. For authoritative DNS you'll want another 
> nameserver on a completely different backbone (see RFC2182). For
> client 
> redundancy, two local recursors is what you want.
> HTH,
> Brian.

More information about the Pdns-users mailing list