[Pdns-users] SNAT and notify messages

Brian Candler b.candler at pobox.com
Fri Nov 18 07:58:00 UTC 2022 

On 17/11/2022 22:48, Michael Hallager via Pdns-users wrote:
> I recommend you fix your underlying issues now by getting all your 
> servers onto the same net block or net blocks which can route between 
> each other without NAT. 

Also I'd suggest fixing the other underlying issue, which is that a 
single IP address is used for answering both recursive DNS and 
authoritative DNS.  If you put the recursor and [ext] authoritative on 
different IPs, then dnsdist can vanish and a lot of complexity disappears.

Since the [ext] authoritative servers would have their own dedicated 
public IPs, then there would be no issue with notifies and zone 
transfers between them.

The [int] authoritative servers can all be bound to private IPs, and can 
be VPN'd together.  The only clients which send requests to them are 
their local recursors.

Unfortunately this does involve config changes, but you have two options:

1. Change the IP address of the recursors: you must change all the 
client machines to point to these new IPs
2. Change the IP address of the ext authoritative servers: you must 
change either the NS records in your public zones, or the A records 
associated with your NS records (and glue records where you have them)

If you choose option 1, and you bind your recursive servers to private 
IPs, then you don't need any extra public IP addresses.

However for performance reasons, it's better if you can give your 
recursors public IP addresses as well.  This is so that the outbound 
queries they send don't have to go via NAT, which could generate a lot 
of NAT states in the NAT router they are sitting behind.  But of course, 
the int recursor *can* share the same public IP address as the ext 
authoritative.

So you could build it like this, if you don't need to serve recursor 
clients on the public Internet, and you can put two 10.x.x.x private IPs 
on each server:

* pdns_server [external] binds to public IP port 53
* pdns_recursor binds to internal IP 1 port 53 . It uses the public IP 
for outbound queries, and forwards requests for local domains 
pdns_server [internal]
* pdns_server [internal] binds to internal IP 2 port 53 (and/or to a 127 
address; the second internal IP is for these servers to do zone transfers)

Regards,

Brian.

More information about the Pdns-users mailing list