[Pdns-users] Old 3.3.1-1 to 4.1.3 Authoritative and Recursor issue

[Steven Spencer]

On 07/03/2018 06:46 AM, Chris Hofstaedtler wrote:
>> On 02.07.2018, at 19:25, Steven Spencer <steven.spencer at kdsi.com> wrote:
> [..]
>> As long as the recursor does return the correct information (as ours did) can we assume that things are working? Is there a good way to make sure that the authoritative server is properly configured before an actual go-live? (testing methodology)
> You can use the “Pre-delegated zone check” on https://zonemaster.iis.se (or any other public zonemaster installation) to check your new auth (possibly on a different IP for testing purposes).
>
> To some degree it sounds you’re not absolutely sure that all your recursive traffic is indeed sent to your PowerDNS Recursors. I’d suggest running tcpdump on your existing PowerDNS Authoritative Servers to verify that they only receive traffic from Recursors, and not from your internal devices.
>
> C
>
Chris,

Thanks for the response. Actually I'm nearly positive that the recursors
and authoritative servers were doing exactly as they were supposed to
during our go-live attempt, I just wasn't prepared for the results. What
we need now is a way to redirect the appropriate traffic (recursors for
resolution) from our local network and ARIN IP block. I received a
possible solution using iptables that would eliminate an organization
wide change of local dns servers on machines and equipment and would
instead redirect that traffic to the appropriate server. Still
evaluating that, but I think that is where we are at the moment.

Thanks for your response!

-- 
-- 
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010