[Pdns-users] Running auth server and recursor on the same server, upgrading from 4.0.9
b.candler at pobox.com
Tue Jun 23 19:00:40 UTC 2020
On 23/06/2020 19:47, Yves Goergen wrote:
> Okay, so I'll have to repeat all the domains from the auth server's
> database in a static config file? What's the use of the database then?
Well, if your authoritative server has a public IP address, then you can
just put NS records in the parent zone - the recursor will find your
authoritative nameserver(s) automatically with no additional
configuration. So will everyone else.
I just guessed that the reason you wanted to mix recursor and
authoritative roles is because you don't have delegation configured for
your local domains.
(FWIW, my home domain *does* permit external resolution, and my auth
server is reachable via IPv6)
> And then I still have two DNS servers: one that can resolve any public
> name, and another one that can resolve the names I host myself. The
> recursor is only accessible locally and the auth server is public.
> What should I use for the system's default DNS server?
The recursor. (Always).
> If I choose the first, I cannot resolve my own names locally.
Not true. Choose the recursor, and it will resolve both external names
and your local names. If your local names are delegated, no additional
configuration is required. If your local names are not delegated, then
it's one entry for each domain in the recursor.conf. That's all.
> PowerDNS auth server on port 53 and recursor internally forwarded to
> port 5300 worked fine with a single public IP address and port for
> queries from local and remote.
You can run auth on 53 and recursor on 5300, but then your clients will
need to be configured to use port 5300 for recursion and it's not always
possible to do that.
A better option is for your machine to have both a public IP and a
private IP, and to bind the auth server to the public one and the
recursor to the private one.
PowerDNS is a very lean and flexible DNS server that scales extremely
well. It's very lightweight and works well in a home network. But you
do have to run the separate roles, which has been best practice for
donkeys years anyway.
More information about the Pdns-users