[Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients

Patrick Laimbock patrick at laimbock.com
Mon Oct 4 13:07:28 UTC 2021

Hi Brian,

Thank you for your feedback.

On 04-10-2021 14:54, Brian Candler wrote:
> No. There's no need for dnsdist unless you have a specially complex or 
> unusual installations.  It's only shown that way in the document you 
> quote for people who are *forced* to put both authoritative and 
> recursive nameservice on the same IP address, for legacy reasons or 
> because of bad planning.
> All you want is:
> * Internet -> auth  (for serving the public zones) [note 1]
> * VMs/VPN clients -> recursor [note 2, 3]
> [note 1]: public zones need to be served by at least *two* auth servers 
> located in at least two different networks (autonomous systems), and 
> preferably different continents.  See RFC 2182.

Thanks, RFC2182 is on my reading list.

> [note 2]: you probably want two recursors for redundancy too.

Yes that makes sense.

> [note 3]: as long as your public zones are properly public and 
> delegated, there is no need to point your recursor at your auth servers: 
> the recursor will follow the published NS records just like everyone else.

Got it. That sounds like a nice test to see if everything it working as 
it's supposed to.

> However if you have *private* domains, that are only visible to your own 
> recursor users, that's when you look at using forward-zones - and you 
> might have to use negative trust anchors (NTA) if these private domains 
> are subdomains of a DNSSEC-signed zone.  It's much simpler just to keep 
> the DNS public.

That sounds challenging and I like to keep things simple so private 
zones are off the table.

> Your authoritative nameservers need public IPs; your recursors can be 
> behind NAT.

Everything has a public IP but good to know that a recursor can be 
behind NAT.

> HTH,

It definitely does help. Thank you!


More information about the Pdns-users mailing list