[Pdns-users] PowerDNS and CNAMEs

Brian Candler b.candler at pobox.com
Sun Jul 23 08:41:57 UTC 2017 

On 23/07/2017 08:23, Rune Sørensen wrote:
> It might be a strange setup, but we are trying to have a PowerDNS 
> server that acts as the authoritative name server for flcn.io 
> <http://flcn.io> for clients on our network, while Cloudflare DNS acts 
> as the authoritative DNS for everyone else.

The recommended way to do this with powerdns is:

1. Run an instance (or two) of pdns-recursor on your local network. 
Point your clients at it.

2. Run a separate instance (or two) of pdns-server, authoritative for 
flcn.io

3. On your pdns-recursor, configure:

# /etc/powerdns/recursor.conf
forward-zones-file=/etc/powerdns/forward-zones

# /etc/powerdns/forward-zones
flcn.io=x.x.x.x    # or x.x.x.x, x.x.x.y

Your instance of pdns-server can be on the same physical box as 
pdns-recursor but listening on a different port, e.g. 5300. In that case:

# /etc/powerdns/forward-zones
flcn.io=127.0.0.1:5300

This approach is useful if you want to have reverse DNS for private 
addresses:

10.in-addr.arpa=127.0.0.1:5300
168.192.in-addr.arpa=127.0.0.1:5300

However in general, I find split DNS like this to be more trouble than 
it's worth.  Eventually you'll have hard-to-diagnose problems where 
everything looks OK for your internal users but your external users have 
a problem (or vice versa), due to the zones not being in sync.  To avoid 
this I would put all private addresses into a separate sub-domain, e.g. 
"int.flcn.io", which is not delegated on the Internet.

It's also worth knowing something about pdns-recursor: it is optimised 
for very high query rates in an ISP environment. To achieve this it has 
a separate "packet cache", so that if it sees the exact same query 
packet, it answers the same way as before.

What this means is that if client A and client B send slightly different 
packets (e.g. with different DNS options, such as from different 
versions of "dig"), A and B are answered from two different cache 
entries.  In the time where a record has changed, and one cache entry 
has expired but the other has not, this can mean A and B see different 
replies.  If this bothers you, you can turn off the packet cache.
https://doc.powerdns.com/md/recursor/settings/#disable-packetcache

Cheers,

Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170723/584a0c19/attachment.html>

More information about the Pdns-users mailing list