[Pdns-users] AXFR Zone Transfer Problem

Brian Candler b.candler at pobox.com
Fri Jan 8 21:28:04 UTC 2021

On 08/01/2021 21:04, Ralph via Pdns-users wrote:
> Is it possible to put the pdns-auth in front, so that every request for which we are not responsible for gets forwarded to the pdns-recursor?

No, that's not possible.

As I said before, they are doing different jobs.  Bind the two processes 
to different IP addresses, and preferably put them in separate 
containers or VMs.

Your recursor is only used by your internal clients.  It can go on a 
private IP address, and make outbound queries via NAT if necessary.  
You'll want two of them for redundancy.

Your auth server is only contacted by other recursors. It will want a 
public IP address to be queried from outside (unless you are serving 
entirely private domains).  You'll want at least two for redundancy, but 
at least one must be off-site on a different network - see RFC 2182.

More information about the Pdns-users mailing list