[Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
Brian Candler
b.candler at pobox.com
Mon Oct 4 12:54:59 UTC 2021
On 04/10/2021 13:44, Patrick Laimbock via Pdns-users wrote:
> New to the list & PowerDNS. Pleased to meet you. I have about 50
> domains, 10 VMs and 10 VPN clients I would like to setup DNS for. I
> went through DuckDuckGo and a bunch of ML archives but did not find
> any hints of a best practice architecture for this small setup. I did
> find:
>
> https://doc.powerdns.com/authoritative/guides/recursion.html#scenario-2-authoritative-server-as-recursor-for-clients-and-serving-public-domains
>
>
> Is this deduction of scenario 2 "New situation" pic on the right correct?
>
> Internet -> dnsdist -> auth (for serving the public zones)
> VMs/VPN clients -> dnsdist -> auth (for public/private zones)
> VMs/VPN clients -> dnsdist -> recursor -> Internet (for the rest)
No. There's no need for dnsdist unless you have a specially complex or
unusual installations. It's only shown that way in the document you
quote for people who are *forced* to put both authoritative and
recursive nameservice on the same IP address, for legacy reasons or
because of bad planning.
All you want is:
* Internet -> auth (for serving the public zones) [note 1]
* VMs/VPN clients -> recursor [note 2, 3]
[note 1]: public zones need to be served by at least *two* auth servers
located in at least two different networks (autonomous systems), and
preferably different continents. See RFC 2182.
[note 2]: you probably want two recursors for redundancy too.
[note 3]: as long as your public zones are properly public and
delegated, there is no need to point your recursor at your auth servers:
the recursor will follow the published NS records just like everyone else.
However if you have *private* domains, that are only visible to your own
recursor users, that's when you look at using forward-zones - and you
might have to use negative trust anchors (NTA) if these private domains
are subdomains of a DNSSEC-signed zone. It's much simpler just to keep
the DNS public.
Your authoritative nameservers need public IPs; your recursors can be
behind NAT.
HTH,
Brian.
More information about the Pdns-users
mailing list