[Pdns-users] VPN - Overriding master/slave ip

[frank+pdns at tembo.be]

Hi Mike,

>     Ideally, what I'd want is for the hidden master and the slaves all
> to have a vpn between them, with the master and slaves having a shared
> private internal ip address range between them. This is easy to do with
> OpenVPN. The missing part seems to be the ability to explicitly state
> which source ip the master will use to notify the slaves. May it's a
> different source IP per slave, in some setups. It would further be nice
> to tell the server to not even bother sending notifies to the NS records
> of the zone and instead using only an explicit notify list, also
> possibly per zone.
> 
>     I have tried various games with with routing, nat, fwmarks, and so
> forth, and I can bludgeon things into mostly - but not entirely -
> working. Lot of work for something that could more or less be automatic
> and with a lot less configuration if we just had additional config
> controls to set the above properties. 

On most POSIX systems, if your peers are “directly connected”, then the correct source ip will always be used.

So in your case, let’s imagine you have an OpenVPN setup between both servers, and your hidden master is using ip 10.1.2.1/24, and your pdns-master is using ip 10.1.2.2/24. I would then do three things:

- tell the hidden master to only accept udp/tcp port 53 connections from 10.1.2.2. 
- tell the hidden master to send notifies to 10.1.2.2.
- tell the pdns “slave” master to use 10.1.2.1 as supermaster.

Once you’ve done this, there’s no need to force source ips etc, as they will always be the “correct” one, as long as you don’t define aliases on the OpenVPN interface of course.

Kind Regards,

Frank

> 
>     Just my random thoughts. Powerdns is awesome..
> 
> 
> Mike-
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users