[Pdns-users] Share DNS-Records between two zones/views (internal & external)

Brian Candler b.candler at pobox.com
Wed Nov 15 16:05:54 UTC 2023


On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote:
> Hey,
>
> I am considering migrating my current BIND-Based setup to PowerDNS.
>
> For multiple zones, I currently have split-view in bind, so that I can 
> define DNS-Records available only for internal clients.
>
> To achieve this, I have the following zonefiles:
>
> mydomain.com.ext.zone <- This zonefile is used for the external view
> mydomain.com.int.zone  <- This zonesfile is used for the internal view
> But I also have:
> mydomain.com.include    <- This file is included in both zonefiles, so 
> records defined there are available in both zones.
> I was wondering, how I could replicate a setup like this in PowerDNS.

BIND combines the roles of authoritative server and recursor; PowerDNS 
has separate programs (pdns and pdns-recursor)

Split views are IMO a bad idea anyway, but if you wanted to do it you 
would need to do something like this:

1. Run pdns-recursor for your internal clients to use
2. Run an instance of pdns-auth with your internal zones
3. Set up forwarding rules on pdns-recursor for your internal zones, 
pointing at your internal pdns-auth
4. Run a separate instance of pdns-auth with your external zones (i.e. 
the ones which your NS records point at)

Note that even with this setup, your clients will need to point to one 
IP address (the pdns-recursor server), and your NS records will need to 
point to a different IP address (the pdns-auth server with the 
externally visible zones).  So you will need to renumber one or the other.

If you really, really, really want to have a single IP address that 
performs both functions, then you will indeed need to put dnsdist on 
that address. But I would strongly advise against it; it's too many 
moving parts. Either just renumber your recursor IP (maybe you can give 
the new address to all your clients using DHCP), or renumber your 
external auth nameserver (which just means changing the A record for 
your nameserver, and possibly glue records).

PowerDNS is designed for use in large-scale ISP operations, where it is 
best practice to separate recursor and authoritative services and run 
them on different IP addresses.


> But for DNS-Records that I want to have for internal AND external 
> clients, I would need to create them in both PowerDNS-instances.
> To me, the risk seems too high, that by accident, DNS-Records are only 
> created/updated on one PowerDNS-Instance, but not on the other.

That is one of the (several) risks associated with split DNS, yes.

Regards,

Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20231115/5dcd761d/attachment.htm>


More information about the Pdns-users mailing list