[Pdns-users] Overlay or pass-through support in PDNS?

eli glynn junknot at gmail.com
Wed Aug 3 23:02:27 UTC 2022


Both very fair suggestions :)

I should have stressed the fact that we already have a deployed set of
PowerDNS servers, spread across several datacenters and AWS regions, and
which a large number of (>2000) production systems are already hitting.
Ideally, we'd be able to update the existing PDNS servers in a minimally
intrusive way to allow this "fail-through" scenario.  I'm not entirely
sure, but from my reading on dnsdist it would require a fairly decent
overhaul of the existing infrastructure and data flow.  That said, the
level of effort might still be less than writing and deploying a Lua
postresolv() hook :)

WRT Winifred's suggestion, I don't see an (obvious) way that
forward-zones{-files} would be able to provide the desired "look here
first, and return an authoritative answer IF it is found, else fail through
to this other resolver" for a given single zone.  My understanding of
forward-zones is that it makes the forwarding decision at the zone level,
not based on success or failure of a lookup WITHIN a zone.  Please do
correct me if I'm wrong though, as if it can do that your solution could
well work for our use case.

Thanks for the responses!
Tom Williams

On Wed, Aug 3, 2022 at 3:07 AM Aki Tuomi <cmouse at cmouse.fi> wrote:

>
>
> On 3 August 2022 6.53.11 UTC, Winfried Angele via Pdns-users <
> pdns-users at mailman.powerdns.com> wrote:
> >Hi Eli,
> >
> >On 03.08.22 01:43, eli glynn via Pdns-users wrote:
> >> I've recently inherited a really ugly mess at my company, involving a
> muddle of PowerDNS, Route53, NS1, and just about every mixed up interaction
> you could imagine between them all.
> >>
> >> The biggest part of the jumble is the way PowerDNS was used as a
> poor-mans split horizon - we have a large number of records which point at
> internal (e.g. 10.x) ranges, with duplicate entries in Route53 AND/OR NS1
> (don't ask) usually pointing at routable IPs.  There's a lot of badness
> beyond just that, but the majority of my pain is from that basic situation.
> >>
> >> Because the client systems are pointed at PDNS, and it considers itself
> authoritative, we're forced to duplicate ALL external records
> >
> >Not sure if I got that right, but "clients" may only ask a Resolver
> (PowerDNS Recursor) and never an Auth (PowerDNS Authoritative).
> >
> >> (overridden or not) within PDNS, or NXDOMAINs result.  This of course
> leads to two (or sometimes three) sources of truth for all RRs, and
> historically the needed due diligence has not been performed to keep them
> in sync.
> >>
> >> Long story short, in order to clean up the mess, I'm hoping to
> implement an "overlay" in PowerDNS, whereby PDNS only contains the RRs
> which it needs to override.  If a record would normally be identical to the
> external value (Route53 or NS1) then rather than duplicating it, I'd like
> PowerDNS to fail through and do a recursive lookup externally, returning
> that value to the client.  So basically, if an NXDOMAIN or NODATA would be
> returned for a zone PDNS considers itself authoritative for, it instead
> recurses and emits whatever comes back from there.
> >>
> >> It seems this should be doable using a `postresolve()` hook, or even
> better `nxdomain()` combined with `nodata()` to minimize Lua roundtrips.
> But I'm having a heckuva time implementing the recursion part.  I can't
> find any canned tooling within Lua to do something theoretically simple
> (e.g. what in python you'd do with `import socket ; return
> socket.gethostbyname("blah")`).  I've also considered writing a custom
> backend but would prefer to keep things simple if at all possible
> >>
> >> I know this is an unusual use-case (though I can see where such an
> "overlay" could be very useful in a number of scenarios).
> >>
> >> Any feedback would be appreciated - suggestions, alternate approaches,
> or even a flat "you can't do that in PowerDNS" if such is the case - it
> will save me a lot of cycles if so :)
> >
> >What about Recursoes "forward-zones" or "forward-zones-file" features?
> This way you could forward queries for your internal Domain Names to your
> internal Auhoritative Nameserver.
> >
> >https://doc.powerdns.com/recursor/settings.html#forward-zones
> >https://doc.powerdns.com/recursor/settings.html#forward-zones-file
> >
> >Winfried
> >_______________________________________________
> >Pdns-users mailing list
> >Pdns-users at mailman.powerdns.com
> >https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
> Or you could use dnsdist. See https://dnsdist.org - it is recommended for
> these kinds of things.
> --
> Aki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220803/4d604394/attachment.htm>


More information about the Pdns-users mailing list