[Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients

Brian Candler b.candler at pobox.com
Mon Oct 4 12:54:59 UTC 2021

On 04/10/2021 13:44, Patrick Laimbock via Pdns-users wrote:
> New to the list & PowerDNS. Pleased to meet you. I have about 50 
> domains, 10 VMs and 10 VPN clients I would like to setup DNS for. I 
> went through DuckDuckGo and a bunch of ML archives but did not find 
> any hints of a best practice architecture for this small setup. I did 
> find:
> https://doc.powerdns.com/authoritative/guides/recursion.html#scenario-2-authoritative-server-as-recursor-for-clients-and-serving-public-domains 
> Is this deduction of scenario 2 "New situation" pic on the right correct?
> Internet -> dnsdist -> auth (for serving the public zones)
> VMs/VPN clients -> dnsdist -> auth (for public/private zones)
> VMs/VPN clients -> dnsdist -> recursor -> Internet (for the rest) 

No. There's no need for dnsdist unless you have a specially complex or 
unusual installations.  It's only shown that way in the document you 
quote for people who are *forced* to put both authoritative and 
recursive nameservice on the same IP address, for legacy reasons or 
because of bad planning.

All you want is:

* Internet -> auth  (for serving the public zones) [note 1]

* VMs/VPN clients -> recursor [note 2, 3]

[note 1]: public zones need to be served by at least *two* auth servers 
located in at least two different networks (autonomous systems), and 
preferably different continents.  See RFC 2182.

[note 2]: you probably want two recursors for redundancy too.

[note 3]: as long as your public zones are properly public and 
delegated, there is no need to point your recursor at your auth servers: 
the recursor will follow the published NS records just like everyone else.

However if you have *private* domains, that are only visible to your own 
recursor users, that's when you look at using forward-zones - and you 
might have to use negative trust anchors (NTA) if these private domains 
are subdomains of a DNSSEC-signed zone.  It's much simpler just to keep 
the DNS public.

Your authoritative nameservers need public IPs; your recursors can be 
behind NAT.



More information about the Pdns-users mailing list