[Pdns-users] PowerDNS and CNAMEs

Rune Sørensen rune at falcon.io
Mon Jul 24 11:00:35 UTC 2017

Thank you, Brian

I'm not too worried about PowerDNS and Cloudflare not being in sync, as the
only records we care about in Cloudflare are short lived _acme-challenge
TXT records, and we have a process running that make sure those stay synced

Also thank you to David, for poiting me to the guide.

Moving the recursor from the PowerDNS server to the dedicated recursor
service, with a forward rule for internal domain, solved the problem.
I'm still not sure why the recursor functionality within the PowerDNS
server acted the way it did, but it is of little concern since the
functionality is being removed :)

*Rune Tor Sørensen*
Site Reliability Engineer
+45 3172 2097 <+4531722097>
LinkedIn <https://www.linkedin.com/in/runets> Twitter
Falcon.io Aps
H.C. Andersens Blvd. 27
1553 Copenhagen
CVR no.: 33362226
[image: Falcon.io]
Meet Your Customers

On Sun, Jul 23, 2017 at 8:41 AM, Brian Candler <b.candler at pobox.com> wrote:

> On 23/07/2017 08:23, Rune Sørensen wrote:
> It might be a strange setup, but we are trying to have a PowerDNS server
> that acts as the authoritative name server for flcn.io for clients on our
> network, while Cloudflare DNS acts as the authoritative DNS for everyone
> else.
> The recommended way to do this with powerdns is:
> 1. Run an instance (or two) of pdns-recursor on your local network. Point
> your clients at it.
> 2. Run a separate instance (or two) of pdns-server, authoritative for
> flcn.io
> 3. On your pdns-recursor, configure:
> # /etc/powerdns/recursor.conf
> forward-zones-file=/etc/powerdns/forward-zones
> # /etc/powerdns/forward-zones
> flcn.io=x.x.x.x    # or x.x.x.x, x.x.x.y
> Your instance of pdns-server can be on the same physical box as
> pdns-recursor but listening on a different port, e.g. 5300. In that case:
> # /etc/powerdns/forward-zones
> flcn.io=
> This approach is useful if you want to have reverse DNS for private
> addresses:
> 10.in-addr.arpa=
> 168.192.in-addr.arpa=
> However in general, I find split DNS like this to be more trouble than
> it's worth.  Eventually you'll have hard-to-diagnose problems where
> everything looks OK for your internal users but your external users have a
> problem (or vice versa), due to the zones not being in sync.  To avoid this
> I would put all private addresses into a separate sub-domain, e.g. "
> int.flcn.io", which is not delegated on the Internet.
> It's also worth knowing something about pdns-recursor: it is optimised for
> very high query rates in an ISP environment. To achieve this it has a
> separate "packet cache", so that if it sees the exact same query packet, it
> answers the same way as before.
> What this means is that if client A and client B send slightly different
> packets (e.g. with different DNS options, such as from different versions
> of "dig"), A and B are answered from two different cache entries.  In the
> time where a record has changed, and one cache entry has expired but the
> other has not, this can mean A and B see different replies.  If this
> bothers you, you can turn off the packet cache.
> https://doc.powerdns.com/md/recursor/settings/#disable-packetcache
> Cheers,
> Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170724/b0e82a43/attachment.html>

More information about the Pdns-users mailing list