[Pdns-users] Overlay or pass-through support in PDNS?
eli glynn
junknot at gmail.com
Tue Aug 2 23:43:38 UTC 2022
I've recently inherited a really ugly mess at my company, involving a
muddle of PowerDNS, Route53, NS1, and just about every mixed up interaction
you could imagine between them all.
The biggest part of the jumble is the way PowerDNS was used as a poor-mans
split horizon - we have a large number of records which point at internal
(e.g. 10.x) ranges, with duplicate entries in Route53 AND/OR NS1 (don't
ask) usually pointing at routable IPs. There's a lot of badness beyond
just that, but the majority of my pain is from that basic situation.
Because the client systems are pointed at PDNS, and it considers itself
authoritative, we're forced to duplicate ALL external records (overridden
or not) within PDNS, or NXDOMAINs result. This of course leads to two (or
sometimes three) sources of truth for all RRs, and historically the needed
due diligence has not been performed to keep them in sync.
Long story short, in order to clean up the mess, I'm hoping to implement an
"overlay" in PowerDNS, whereby PDNS only contains the RRs which it needs to
override. If a record would normally be identical to the external value
(Route53 or NS1) then rather than duplicating it, I'd like PowerDNS to fail
through and do a recursive lookup externally, returning that value to the
client. So basically, if an NXDOMAIN or NODATA would be returned for a
zone PDNS considers itself authoritative for, it instead recurses and emits
whatever comes back from there.
It seems this should be doable using a `postresolve()` hook, or even better
`nxdomain()` combined with `nodata()` to minimize Lua roundtrips. But I'm
having a heckuva time implementing the recursion part. I can't find any
canned tooling within Lua to do something theoretically simple (e.g. what
in python you'd do with `import socket ; return
socket.gethostbyname("blah")`). I've also considered writing a custom
backend but would prefer to keep things simple if at all possible
I know this is an unusual use-case (though I can see where such an
"overlay" could be very useful in a number of scenarios).
Any feedback would be appreciated - suggestions, alternate approaches, or
even a flat "you can't do that in PowerDNS" if such is the case - it will
save me a lot of cycles if so :)
Thanks all!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220802/91be2758/attachment.htm>
More information about the Pdns-users
mailing list