Hello,
1. If dnsdist is similar to (http reverse) proxy, and If dnsdist is
accessible on public internet. Is this sample config correct for an
authoritative dns?
setLocal("any") -------------> client from public internet
newServer("192.168.0.10") ---> back-end 1 newServer("192.168.0.11")
---> back-end 2
this is ok, you might need to set ACL as well.
setACL({'0.0.0.0/0', '::/0'}) will allow all clients.
2. Can dnsdist work on "stealth-dmz" BIND dns, where "named.conf" has
access rules with multiple configured zone for recursion and no
recursion.
Source IP based access rules will not work on your backend servers as
requests are originated from dnsdist.
If you are thinking about BIND views style configuration i used multiple
instances of DNS servers on different ports serving different zone files.
On dnsdist, i used pools and addAction/PoolAction to direct traffic
based on source address of client to the respective pool.
Kind Regards
r.
----- Original Message ----- From:
[email protected] To: "dnsdist"
<[email protected]> Sent: Thursday, January 23, 2020
8:00:02 PM Subject: dnsdist Digest, Vol 53, Issue 6
Send dnsdist mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.powerdns.com/mailman/listinfo/dnsdist or, via email,
send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dnsdist digest..."
Today's Topics:
1. DNS use cases as authoritative dns server facing public internet
([email protected]) 2. Re: DNS use cases as authoritative dns
server facing public internet (Jacob Bunk Nielsen) 3. Re: DNS use
cases as authoritative dns server facing public internet (Andreas
Danzer)
----------------------------------------------------------------------
Message: 1 Date: Thu, 23 Jan 2020 11:16:14 +0800 (PST) From:
[email protected] To: [email protected] Subject:
[dnsdist] DNS use cases as authoritative dns server facing public
internet Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"
Hi;
I have a question regarding the posture of dnsdist as authoritative
dns server facing public internet. How will be the design if you
would put the dnsdist (load balancer) infront the origin DNS
servers? I have two (2) internet facing authoritative DNS translated
from my firewall. Can I also do NAT on dnsdist while the origin dns
servers will be on private IP address?
Thank you. -------------- next part -------------- An HTML attachment
was scrubbed... URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/06eed7ee/attachment-0001.htm>
------------------------------
Message: 2 Date: Thu, 23 Jan 2020 09:18:36 +0100 From: Jacob Bunk
Nielsen <[email protected]> To: [email protected] Subject: Re:
[dnsdist] DNS use cases as authoritative dns server facing public
internet Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hi
On 23/01/2020 04.16, [email protected] wrote:
I have a question regarding the posture of dnsdist as
authoritative dns server facing public internet. How will be the
design if you would put the dnsdist (load balancer) infront the
origin DNS servers? I have two (2) internet facing authoritative
DNS translated from my firewall. Can I also do NAT on dnsdist while
the origin dns servers will be on private IP address?
Short answer, yes.
Slightly longer answer, think of dnsdist more as a caching
proxy/load balancer than as a router. So you'd set up dnsdist to
listen for incoming queries and let dnsdist distribute the queries
among backend servers depending on your preferred load balancing
scheme. See also https://dnsdist.org/guides/serverselection.html
For redundancy you'll probably also want at least 2 dnsdist
instances that can then sit in front of however many backends is
required to handle the load.
Best regards,
Jacob
-------------- next part -------------- An HTML attachment was
scrubbed... URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/c9b1506b/attachment-0001.htm>
------------------------------
Message: 3 Date: Thu, 23 Jan 2020 11:07:24 +0100 From: Andreas Danzer
<[email protected]> To: [email protected] Subject: Re:
[dnsdist] DNS use cases as authoritative dns server facing public
internet Message-ID:
<[email protected]> Content-Type:
text/plain; charset=utf-8
Hi,
I have a question regarding the posture of dnsdist as authoritative
dns server facing public internet. How will be the design if you
would put the dnsdist (load balancer) infront the origin DNS
servers? I have two (2) internet facing authoritative DNS
translated from my firewall. Can I also do NAT on dnsdist while the
origin dns servers will be on private IP address?
our authoriative nameservers are built with dnsdist as loadbalancer
in front of several powerdns-servers. Some of those backend servers
are running on private RFC1918 IP addresses, with only dnsdist having
a global routeable IP. Dnsdist also serves as some sort of dns
firewall with rate-limiting and special handling of some request
types (e.g. ANY). We also use it to handle incoming/outgoing
AXFR/IXFR requests and notifications for customers based on an extra
database and a hidden dns. Think of dnsdist as the swiss army knife
for DNS. ;-)
Regards, A. Danzer
------------------------------
Subject: Digest Footer
_______________________________________________ dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
------------------------------
End of dnsdist Digest, Vol 53, Issue 6
**************************************
_______________________________________________ dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
(null)
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
