[Pdns-users] PDNS recursor cache sync

[Djerk Geurts]

That may be true for a SOHO environment. But for a corporate network with numerous firewalls, my option is that firewalls should be firewalls. Tagging core services into a security appliance is not the right solution for DNS servers that manage to cache different results.

I like Otto's suggestion of dnsdist. As it puts the onus on the design of the DNS servers to ensure that all clients end up resolving the same records.

On 17 Sept 2022, 19:24, at 19:24, Oscar Zovo <oscar.zovo at gmail.com> wrote:
>If you are applying a firewall rule based on hostname, it makes sense
>that
>the firewall should be the one providing DNS  recursive service to the
>DNS
>clients or to the downstream DNS caching servers, or you should resort
>to
>URL filtering.
>
>
>Best Regards,
>Óscar Zovo.
>
>A sábado, 17/09/2022, 01:01, Djerk Geurts via Pdns-users <
>pdns-users at mailman.powerdns.com> escreveu:
>
>> Just ran into an issue with recursive DNS servers where the two
>servers
>> have cached a different A record for mirror.centos.org.
>>
>> This is a problem as the firewalls permit access to the FQDN, which
>> presumes that both the client and the firewall end up with the same A
>> record for the domain.
>>
>> I'm intending to swap these recursors out with PowerDNS servers, but
>am
>> wondering if there's a way to keep the record cache in sync between
>> multiple recursors.
>>
>> --
>> Best regards,
>> *Djerk Geurts*
>> m: +44-7535-674620
>>
>> *Maizymoo Ltd* <https://maizymoo.com>
>> VAT No: GB192 1529 07
>> Registration Number: 6638104 (registered in England and Wales)
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220917/2734f63d/attachment.htm>