[Pdns-users] allow-from and recursion

Nicola Tiling nti at w4w.net
Sun Aug 5 15:30:29 UTC 2018 

Take powerdns-recursor - it’s simple, you don’t need dnsdist for an easy setup

1) powerdns, authoritative: IP: 1.2.3.4, Port 53, Don’t allow recursion, authoritative reachable from world
2) powerndes-recursor: IP 192.168.0.1, Port 53, forward authoritative zones you need to 1.2.3.4, recursor only reachable from internal or dedicated IPs


recursor.conf:
local-address=192.168.0.1
local-port=53
threads=2
forward-zones-file=/etc/pdns/forward-recurser.zones.cfg
allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10

forward-recurser.zones.cfg:
dom1.tld=1.2.3.4
dom2.tld=1.2.3.4
…



> Am 05.08.2018 um 17:07 schrieb Sergio Cesar <sergio at winc.net>:
> 
> Thank you for the reply,
> 
> My setup is very simple, found little help in configuring dnsdist that looks so complicated and one more thing to go wrong. Like killing a fly with a cannon.
> 
> We have just one server ns1 replicating to a second ns2 via direct mysql replication.
> 
> Perhaps you have a simple configuration example for all 3 pdns, pdns-recursor and dnsdist,  I can use for a simple setup like mine. We do have ipv4 and ipv6 addresses for our servers.
> 
> Thanks again.
> 
> Sergio
> 
> 
> 
> On 08/05/2018 08:37 AM, Aki Tuomi wrote:
>> On Sat, Aug 04, 2018 at 07:01:36PM -0500, Sergio Cesar wrote:
>>> Installed PDNS 4.1.3 on a ubuntu 18.04.
>>> 
>>> I have try to follow
>>> https://doc.powerdns.com/authoritative/guides/recursion.html setting up
>>> scenario 1:
>>> 
>>> Any address I enter in "allow-from" is able to query the server and
>>> recursion works ok, but no other query from the Internet is successful
>>> unless I add 0.0.0.0/0 unfortunately this is not acceptable to have a
>>> fully open server to the Internet.
>>> 
>>> In bind we have "allow-recursion" and a list of all the addresses the
>>> server will respond to and still respond to any query to domains itself
>>> hosts .
>>> 
>>> How can I configure pdns and pdns-recursor to respond to queries from
>>> anyone to the authoritative server but only recurse to the allowed list?
>>> without having an open dns on the Internet?
>>> 
>>> Thanks.
>>> 
>> You use dnsdist for this.
>> 
>> Aki Tuomi
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180805/14015f22/attachment.sig>

More information about the Pdns-users mailing list