[Pdns-users] Running auth server and recursor on the same server, upgrading from 4.0.9

Brian Candler b.candler at pobox.com
Tue Jun 23 19:00:40 UTC 2020

On 23/06/2020 19:47, Yves Goergen wrote:
> Okay, so I'll have to repeat all the domains from the auth server's 
> database in a static config file? What's the use of the database then?
Well, if your authoritative server has a public IP address, then you can 
just put NS records in the parent zone - the recursor will find your 
authoritative nameserver(s) automatically with no additional 
configuration.  So will everyone else.

I just guessed that the reason you wanted to mix recursor and 
authoritative roles is because you don't have delegation configured for 
your local domains.

(FWIW, my home domain *does* permit external resolution, and my auth 
server is reachable via IPv6)

> And then I still have two DNS servers: one that can resolve any public 
> name, and another one that can resolve the names I host myself. The 
> recursor is only accessible locally and the auth server is public.
That's correct.
> What should I use for the system's default DNS server?
The recursor. (Always).
> If I choose the first, I cannot resolve my own names locally.
Not true.  Choose the recursor, and it will resolve both external names 
and your local names.  If your local names are delegated, no additional 
configuration is required.  If your local names are not delegated, then 
it's one entry for each domain in the recursor.conf.  That's all.
> PowerDNS auth server on port 53 and recursor internally forwarded to 
> port 5300 worked fine with a single public IP address and port for 
> queries from local and remote.

You can run auth on 53 and recursor on 5300, but then your clients will 
need to be configured to use port 5300 for recursion and it's not always 
possible to do that.

A better option is for your machine to have both a public IP and a 
private IP, and to bind the auth server to the public one and the 
recursor to the private one.

PowerDNS is a very lean and flexible DNS server that scales extremely 
well.  It's very lightweight and works well in a home network.  But you 
do have to run the separate roles, which has been best practice for 
donkeys years anyway.



More information about the Pdns-users mailing list