On 27/02/2020 09.13, Jochen Demmer via dnsdist wrote:
you're saying I can use one dnsdist instance bound to different IPs for
all DNS traffic no matter if it's recursive or authoritative and even at
the same time for my protected authoritative domains?
Yes, you can do stuff like:
addLocal('1.1.1.1',{})
addLocal('2.2.2.2',{})
addLocal('3.3.3.3',{})
external_auth_dns_ips = newNMG()
external_auth_dns_ips:addMask('1.1.1.1/32')
external_recursive_dns_ips = newNMG()
external_recursive_dns_ips:addMask('2.2.2.2/32')
internal_dns_ips = newNMG()
internal_dns_ips:addMask('3.3.3.3/32')
internal_network = newNMG()
internal_network:addMask('10.0.0.0/8')
internal_network:addMask('192.168.0.0/16')
addAction(NetmaskGroupRule(external_auth_dns_ips, false),
PoolAction('auth_pool'))
addAction(NetmaskGroupRule(external_recursive_dns_ips, false),
PoolAction('recursive_pool'))
addAction(AndRule({NetmaskGroupRule(internal_dns_ips, false),
NetmaskGroupRule(internal_network)}), PoolAction('internal_auth_pool'))
Then you of course want to create relevant backends using newServer()
and probably add a bit of caching as well.
But as always, there's more than one way to do it :-)
Since there are several thousand domains we host for our customers and a
few protected ones I would have to keep dnsdinst informed about all of
those, right? This is not something I would like to do manually of
course. Without the dnsdist knowing how could it decide where to
redirect the query or even to deny the request in the first place?
Can someone please give a short example of how such an Action could look
like?
I've tried something like this but this is obviously not enough.
addAction(RegexRule(".internal\\.domain\\.net$"), PoolAction("privatezone"))
That's why I suggest setting it up on a separate IP. You can even put it
in a separate dnsdist instance if you prefer to keep things completely
separate, but the above (untested) config would also just solve this for
you.
But this would need a second selector which would be this NMG thing. How
can I combine that?
I also made a small matrix on what shall be done which which requests.
See attached image.
You can make explicit rules to return REFUSED replies in the cases where
you want that.
Best regards,
Jacob
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
