[Pdns-users] recursor - pdns authoritative and axfr problem
b.candler at pobox.com
Tue Sep 25 10:47:46 UTC 2018
[please reply to list]
On 25/09/2018 11:22, Bernd Krueger-Knauber wrote:
> At our customers routers we give them 2 IP adresses of recursers as NS
> entries, which have no official NS entries pointing to them self (no
> real NS).
Yes: recursors don't have NS records pointing at them. The clients
learn the IP addresses of the recursors through DHCP, or manual
> We restrict the recursors to the IP-ranges of our network addresses.
Yes. This avoids abuse of your recursors. (Or you can keep your
recursors on a private network, or behind a firewall which doesn't allow
> We place our 'real' pdns directly in the internet.
If by 'real' you mean pdns-authoritative, yes.
Alternatively, don't put it on the Internet, but make your domain's
public authoritative nameservers slave or replicate from it.
Even if you do put it on the Internet, you still need at least one other
nameserver to replicate from it, on a different network and ideally a
different continent (RFC 2182).
> We tell the recursor to ask first our pdns, then someone else.
Your recursor will automatically follow the delegations from nameservers
on the Internet. If the recursor wants to resolve www.example.com:
- first it queries the root nameservers, which will return a delegation
(NS records) pointing to .com nameservers
- it asks one of them, which will return a delegation to example.com
- it asks one of them, which gives the final answer
- all the answers, intermediate and final, are cached
This works the same for your own domains as for anybody else's domains.
To see a demo of this in action, try:
$ dig +trace www.google.com # or domain of your choice
You don't need to configure the recursor to do this - unless the domain
is private (unregistered, or not delegated).
As an example: if you want to do reverse DNS for private IP addresses,
you will need to forward the domains like 168.192.in-addr.arpa or
10.in-addr.arpa to your authoritative servers, because you can't get
real delegation in the public DNS for this.
As another example: if you have the domain foo.com, and you want to
create a domain int.foo.com which is *only* resolvable on your network
and not in the public Internet, then you can create int.foo.com but
*not* add NS records for it. Then the recursor must be configured to
forward int.foo.com to the auth server.
More information about the Pdns-users