[Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
Patrick Laimbock
patrick at laimbock.com
Mon Oct 4 13:07:28 UTC 2021
Hi Brian,
Thank you for your feedback.
On 04-10-2021 14:54, Brian Candler wrote:
[snip]
> No. There's no need for dnsdist unless you have a specially complex or
> unusual installations. It's only shown that way in the document you
> quote for people who are *forced* to put both authoritative and
> recursive nameservice on the same IP address, for legacy reasons or
> because of bad planning.
>
> All you want is:
>
> * Internet -> auth (for serving the public zones) [note 1]
>
> * VMs/VPN clients -> recursor [note 2, 3]
>
>
> [note 1]: public zones need to be served by at least *two* auth servers
> located in at least two different networks (autonomous systems), and
> preferably different continents. See RFC 2182.
Thanks, RFC2182 is on my reading list.
> [note 2]: you probably want two recursors for redundancy too.
Yes that makes sense.
> [note 3]: as long as your public zones are properly public and
> delegated, there is no need to point your recursor at your auth servers:
> the recursor will follow the published NS records just like everyone else.
Got it. That sounds like a nice test to see if everything it working as
it's supposed to.
> However if you have *private* domains, that are only visible to your own
> recursor users, that's when you look at using forward-zones - and you
> might have to use negative trust anchors (NTA) if these private domains
> are subdomains of a DNSSEC-signed zone. It's much simpler just to keep
> the DNS public.
That sounds challenging and I like to keep things simple so private
zones are off the table.
> Your authoritative nameservers need public IPs; your recursors can be
> behind NAT.
Everything has a public IP but good to know that a recursor can be
behind NAT.
> HTH,
It definitely does help. Thank you!
Best,
Patrick
More information about the Pdns-users
mailing list