[Pdns-users] PowerDNS and CNAMEs
b.candler at pobox.com
Sun Jul 23 08:41:57 UTC 2017
On 23/07/2017 08:23, Rune Sørensen wrote:
> It might be a strange setup, but we are trying to have a PowerDNS
> server that acts as the authoritative name server for flcn.io
> <http://flcn.io> for clients on our network, while Cloudflare DNS acts
> as the authoritative DNS for everyone else.
The recommended way to do this with powerdns is:
1. Run an instance (or two) of pdns-recursor on your local network.
Point your clients at it.
2. Run a separate instance (or two) of pdns-server, authoritative for
3. On your pdns-recursor, configure:
flcn.io=x.x.x.x # or x.x.x.x, x.x.x.y
Your instance of pdns-server can be on the same physical box as
pdns-recursor but listening on a different port, e.g. 5300. In that case:
This approach is useful if you want to have reverse DNS for private
However in general, I find split DNS like this to be more trouble than
it's worth. Eventually you'll have hard-to-diagnose problems where
everything looks OK for your internal users but your external users have
a problem (or vice versa), due to the zones not being in sync. To avoid
this I would put all private addresses into a separate sub-domain, e.g.
"int.flcn.io", which is not delegated on the Internet.
It's also worth knowing something about pdns-recursor: it is optimised
for very high query rates in an ISP environment. To achieve this it has
a separate "packet cache", so that if it sees the exact same query
packet, it answers the same way as before.
What this means is that if client A and client B send slightly different
packets (e.g. with different DNS options, such as from different
versions of "dig"), A and B are answered from two different cache
entries. In the time where a record has changed, and one cache entry
has expired but the other has not, this can mean A and B see different
replies. If this bothers you, you can turn off the packet cache.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users