[Pdns-users] pdns + recursor + master / slave
Mike
mike+lists at yourtownonline.com
Sun Feb 2 17:43:42 UTC 2020
On 2/1/20 9:13 AM, Stef Coene wrote:
> Hi,
>
> I'm new to PowerDNS and still learning about how it works.
>
> I want to have 2 DNS servers located in 2 different datacenters. One
> of them is master, one of them is slave. They both need to forward
> requests for unknown domains.
>
> If I understand it correctly I need:
> - 1 recursor in 1 each datacenter, so 2 in total
> - a master DNS in 1 datacenter
> - a slave DNS in the other datacenter
>
> I tried to install the recursor and the pdns server on the same
> machine. The recursor is listening on port 53, the pdns server is
> listening on port 5300. I also have PowerDNS-Admin installed on both
> servers. This is working fine.
>
> In this setup, I can request manually an update on the slave and it
> pulls in all the changes from the master.
>
> But I can not make the master push a change to the slave.
>
> This is what I find in the logfiles (1.1.1.99 is the master, 1.1.2.99
> is the slave) when I update the master:
>
> Feb 1 17:48:44 dns01 pdns_server[26834]: 1 domain for which we are
> master needs notifications
> Feb 1 17:48:44 dns01 pdns_server[26834]: Queued notification of
> domain 'example.com' to 1.1.1.99:53
> Feb 1 17:48:44 dns01 pdns_server[26834]: Queued notification of
> domain 'example.com' to 1.1.2.99:53
> Feb 1 17:48:47 dns01 pdns_server[26834]: No master domains need
> notifications
> Feb 1 17:49:18 dns01 pdns_server[26834]: Notification for axidc.io to
> 1.1.1.99:53 failed after retries
> Feb 1 17:49:18 dns01 pdns_server[26834]: Notification for axidc.io to
> 1.1.2.99:53 failed after retries
>
> Is it true that the push from the master to the slave is not working
> because the recursor is listening on port 53 while pdns is listening
> on port 5300?
> If so, how can I make the master push the changes to the slave on port
> 5300?
>
> Can I use 2 IP addresses per server and make pdns listen on 1 IP and
> the recursor listening on the other IP?
>
> If that's not possible is there any other solution except running pdns
> and recursor on 2 different servers?
>
> I think this setup is quite common but I couldn't find any information
> on this setup and how to configure this.
Hi Stef,
Typically, what you really want, is to separate the functions of
'authoritative server' and 'recursive resolver', which means that each
are handled on separate IP addresses. Bind did/does allow this setup
and has extensive access controls to sort of make it work, but from an
operational perspective, it's a really bad idea. The essential reason is
that combining these functions means that you are essentially overriding
the internet roots with respect to your domain data, but only from the
perspective of any clients that happen to depend on you as their
recursive resolver. Its all fine when the roots point to you for some
domain, but then later if that domain is moved to a different set of
nameservers, unless you also update your config to remove that domain,
you are going to be serving incorrect dns data to all clients who use
your resolver since it's still going off it's local notion of things and
not refering those queries to the new servers. Typically what customers
want, is to be able to set up their new hosting somewhere and get it all
ready, and then do the switch with their name registrar, and then later
once they are satisfied it's all working, then they call you to
cancel/delete the domain in question. Sometimes they are real slow
about this. Sometimes they never tell you at all. So even if you are
very proactive and handle these updates as they are requested, you may
never get the request or at least not in a timely fashion.
Both powerdns server and powerdns recursor have settings to specify
which ip addresses to listen on, which allows them to co-exist on the
same machine just fine. Your problem with the master not pushing to the
slave is that the slave server isnt' seeing the dns notify from the
master. In the config you are proposing above, the reason is that by
default the master will send to the slave on port 53, which I think you
have as your resolver. In special applications, sure, you can override
this too. But simply having 2 ip's at each site will resolve this too as
well as other issues. The settings you want are 'local-address'.
Mike-
More information about the Pdns-users
mailing list