[Pdns-users] allow-from and recursion

Nicola Tiling nti at w4w.net
Sun Aug 5 16:03:21 UTC 2018


Sorry:
> local-address=1.2.4.5

should be:
local-address=1.2.3.5

with dnsdist you save one official IP-Number, have great statistics and be more secure because you can manage DOS attacks. But you have one more service to manage  as described in „Scenario 2“

https://doc.powerdns.com/authoritative/guides/recursion.html?highlight=recursion



> Am 05.08.2018 um 17:49 schrieb Nicola Tiling <nti at w4w.net>:
> 
> Signierter PGP-Teil
> 1) powerdns, authoritative: IP: 1.2.3.4, Port 53, Don’t allow recursion, authoritative reachable from world
> 2) powerndes-recursor: IP 1.2.3.5, Port 53, forward authoritative zones you need to 1.2.3.4, recursor only reachable from dedicated IPs
> 
> recursor.conf:
> local-address=1.2.4.5
> local-port=53
> threads=2
> forward-zones-file=/etc/pdns/forward-recurser.zones.cfg
> allow-from=1.2.3.0/25
> 
>> Am 05.08.2018 um 17:40 schrieb Sergio Cesar <sergio at winc.net>:
>> 
>> This is exactly how I have configured it now, but how do I allow my own servers on the public side Internet to query  my own dns? I have a 4  /25 ipv4 segments for my customers via T1 and other means that I need to provide dns services.
>> 
>> 
>> 
>> On 08/05/2018 10:30 AM, Nicola Tiling wrote:
>>> Take powerdns-recursor - it’s simple, you don’t need dnsdist for an easy setup
>>> 
>>> 1) powerdns, authoritative: IP: 1.2.3.4, Port 53, Don’t allow recursion, authoritative reachable from world
>>> 2) powerndes-recursor: IP 192.168.0.1, Port 53, forward authoritative zones you need to 1.2.3.4, recursor only reachable from internal or dedicated IPs
>>> 
>>> 
>>> recursor.conf:
>>> local-address=192.168.0.1
>>> local-port=53
>>> threads=2
>>> forward-zones-file=/etc/pdns/forward-recurser.zones.cfg
>>> allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
>>> 
>>> forward-recurser.zones.cfg:
>>> dom1.tld=1.2.3.4
>>> dom2.tld=1.2.3.4
>>>>>> 
>>> 
>>> 
>>>> Am 05.08.2018 um 17:07 schrieb Sergio Cesar <sergio at winc.net>:
>>>> 
>>>> Thank you for the reply,
>>>> 
>>>> My setup is very simple, found little help in configuring dnsdist that looks so complicated and one more thing to go wrong. Like killing a fly with a cannon.
>>>> 
>>>> We have just one server ns1 replicating to a second ns2 via direct mysql replication.
>>>> 
>>>> Perhaps you have a simple configuration example for all 3 pdns, pdns-recursor and dnsdist,  I can use for a simple setup like mine. We do have ipv4 and ipv6 addresses for our servers.
>>>> 
>>>> Thanks again.
>>>> 
>>>> Sergio
>>>> 
>>>> 
>>>> 
>>>> On 08/05/2018 08:37 AM, Aki Tuomi wrote:
>>>>> On Sat, Aug 04, 2018 at 07:01:36PM -0500, Sergio Cesar wrote:
>>>>>> Installed PDNS 4.1.3 on a ubuntu 18.04.
>>>>>> 
>>>>>> I have try to follow
>>>>>> https://doc.powerdns.com/authoritative/guides/recursion.html setting up
>>>>>> scenario 1:
>>>>>> 
>>>>>> Any address I enter in "allow-from" is able to query the server and
>>>>>> recursion works ok, but no other query from the Internet is successful
>>>>>> unless I add 0.0.0.0/0 unfortunately this is not acceptable to have a
>>>>>> fully open server to the Internet.
>>>>>> 
>>>>>> In bind we have "allow-recursion" and a list of all the addresses the
>>>>>> server will respond to and still respond to any query to domains itself
>>>>>> hosts .
>>>>>> 
>>>>>> How can I configure pdns and pdns-recursor to respond to queries from
>>>>>> anyone to the authoritative server but only recurse to the allowed list?
>>>>>> without having an open dns on the Internet?
>>>>>> 
>>>>>> Thanks.
>>>>>> 
>>>>> You use dnsdist for this.
>>>>> 
>>>>> Aki Tuomi
>>>> _______________________________________________
>>>> Pdns-users mailing list
>>>> Pdns-users at mailman.powerdns.com
>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180805/b852f1a5/attachment.sig>


More information about the Pdns-users mailing list