[Pdns-users] allow-from and recursion
Sergio Cesar
sergio at winc.net
Sun Aug 5 15:40:13 UTC 2018
This is exactly how I have configured it now, but how do I allow my own
servers on the public side Internet to query my own dns? I have a 4
/25 ipv4 segments for my customers via T1 and other means that I need to
provide dns services.
On 08/05/2018 10:30 AM, Nicola Tiling wrote:
> Take powerdns-recursor - it’s simple, you don’t need dnsdist for an easy setup
>
> 1) powerdns, authoritative: IP: 1.2.3.4, Port 53, Don’t allow recursion, authoritative reachable from world
> 2) powerndes-recursor: IP 192.168.0.1, Port 53, forward authoritative zones you need to 1.2.3.4, recursor only reachable from internal or dedicated IPs
>
>
> recursor.conf:
> local-address=192.168.0.1
> local-port=53
> threads=2
> forward-zones-file=/etc/pdns/forward-recurser.zones.cfg
> allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
>
> forward-recurser.zones.cfg:
> dom1.tld=1.2.3.4
> dom2.tld=1.2.3.4
> …
>
>
>
>> Am 05.08.2018 um 17:07 schrieb Sergio Cesar <sergio at winc.net>:
>>
>> Thank you for the reply,
>>
>> My setup is very simple, found little help in configuring dnsdist that looks so complicated and one more thing to go wrong. Like killing a fly with a cannon.
>>
>> We have just one server ns1 replicating to a second ns2 via direct mysql replication.
>>
>> Perhaps you have a simple configuration example for all 3 pdns, pdns-recursor and dnsdist, I can use for a simple setup like mine. We do have ipv4 and ipv6 addresses for our servers.
>>
>> Thanks again.
>>
>> Sergio
>>
>>
>>
>> On 08/05/2018 08:37 AM, Aki Tuomi wrote:
>>> On Sat, Aug 04, 2018 at 07:01:36PM -0500, Sergio Cesar wrote:
>>>> Installed PDNS 4.1.3 on a ubuntu 18.04.
>>>>
>>>> I have try to follow
>>>> https://doc.powerdns.com/authoritative/guides/recursion.html setting up
>>>> scenario 1:
>>>>
>>>> Any address I enter in "allow-from" is able to query the server and
>>>> recursion works ok, but no other query from the Internet is successful
>>>> unless I add 0.0.0.0/0 unfortunately this is not acceptable to have a
>>>> fully open server to the Internet.
>>>>
>>>> In bind we have "allow-recursion" and a list of all the addresses the
>>>> server will respond to and still respond to any query to domains itself
>>>> hosts .
>>>>
>>>> How can I configure pdns and pdns-recursor to respond to queries from
>>>> anyone to the authoritative server but only recurse to the allowed list?
>>>> without having an open dns on the Internet?
>>>>
>>>> Thanks.
>>>>
>>> You use dnsdist for this.
>>>
>>> Aki Tuomi
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list