[Pdns-users] PDNS recursor cache sync

Djerk Geurts djerk at maizymoo.com
Sat Sep 17 19:52:55 UTC 2022 

Than you  I'll have a look at your dnsdist suggestion, I hadn't considered that yet.

I'd rather not get into an off topic argument about the various reasons for using an FQDN in a firewall rule versus undisclosed public IP addresses. And I have no intention of requesting that cache management is made more complex.

On 17 Sept 2022, 18:42, at 18:42, Otto Moerbeek <otto at drijf.net> wrote:
>
>Cache maintenace is alreayd quite a complex part of any recursor.  IMO
>adding cache syncing would introduce way too much complexity te be
>worth the trouble to solve what in essense is a questionable firewall
>rule design. 
>
>Maybe dnsdist with a packet cache in front of two recursors might
>be worth considering.
>
>	-Otto
>
>On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote:
>
>> Hi Otto,
>> 
>> Thank you for the clarification. Yes, I'm aware that the source may
>change, but TTL exists for that. So I don't think this is a valid
>reason to not sync cache. As the current situation is worse:
>> 
>> Resolver A caches IP address 1.1.1.1 and resolver B caches IP address
>2.2.2.2. Subsequently a user types to navigate to the site, but the
>firewall happened to resolve the domain via the other resolver. This
>ends up causing intermittent issues as it ends up being pot luck
>whether a user happens to use the same resolver that the firewall used.
>> 
>> A cache sync would at least cause the same behaviour for all users.
>And using a single resolver is too risky.
>> 
>> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek <otto at drijf.net>
>wrote:
>> >Hello,
>> >
>> >cachs syncing is not something we have and even with it (or using a
>> >single resolver) there is an issue that records can change:
>> >the scenario:
>> >
>> >	- a client asks the record, record gets cached
>> >	- client A asks and gets cached value,
>> >	- publisher of records changes the record
>> >	- record expires from cache
>> >	- client B (firewall) asks and record resolves to different value.
>> >
>> >
>> >On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via
>Pdns-users
>> >wrote:
>> >
>> >> Just ran into an issue with recursive DNS servers where the two
>> >servers have cached a different A record for mirror.centos.org.
>> >>
>> >> This is a problem as the firewalls permit access to the FQDN,
>which
>> >presumes that both the client and the firewall end up with the same
>A
>> >record for the domain.
>> >>
>> >> I'm intending to swap these recursors out with PowerDNS servers,
>but
>> >am wondering if there's a way to keep the record cache in sync
>between
>> >multiple recursors.
>> >>
>> >> ⁣--
>> >> Best regards,
>> >> Djerk Geurts
>> >> m: +44-7535-674620
>> >>
>> >> Maizymoo Ltd
>> >> VAT No: GB192 1529 07
>> >> Registration Number: 6638104 (registered in England and Wales)​
>> >
>> >> _______________________________________________
>> >> Pdns-users mailing list
>> >> Pdns-users at mailman.powerdns.com
>> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220917/f26eb45b/attachment-0001.htm>

More information about the Pdns-users mailing list