Hi Steffan, Generally speaking I would recommend the public facing IPs of your authoritative nameservers to be dnsdist only and to keep your pdns auth backend servers "hidden" behind other IPs. How you distribute the load depends a lot on your environment and architecture, so it is a bit difficult to give advice there. You could then only allow incoming requests to your pdns auth servers from the dnsdist servers only, so they cannot be targeted directly, if you really don't want them to be publically accessible.
But before changing your setup, I would also invest a little more time in understanding what kind of attack brought down your pdns auth servers and figure out if there is something else you can do to mitigate these attacks. The traditional SQL backends are notably sensitive to PRSD attacks, adding more auth backend servers to a dnsdist only works to some extent. You might want to consider the possibility of switching to the LMDB backend if you're dealing with that kind of attacks. With kind regards, Michel Otte Hello All, > > > > I had the following setup: > server ns1: > > Dnsdist -> 127.0.0.1 pdns > sql backend replicated database > Server ns2: > > DNSdist -> 127.0.0.1 pdns sql backend replicated database > > > > Last week I was attacked 3 times. > > Flooding my system > yesterday 53 miljioen hits in 10 minutes > > > > Im now on nawas DDOs temperarly > That was the online way to stop it. > > > I now splitted my DNS server (multiple resellers) > and the above setup is now 3 times so separate the load. > > > > The question… > What is the best way now > keep this setup > - 6x dnsdist > - 6 different ns servers > > > > Or should I use one dnsdist that connects tyo the 6 dns servers for load > balancing > > My idee was to keep this setup and then let all 6 dnsdist connect to the 6 > servers so if there are problems I can remove a dns from one of the 6 > > But how to do that without exposing pdns to the public > > > > Sorry im dutch 😊 > Hope I made myself clear > > > > With regards > > > Steffan > _______________________________________________ > dnsdist mailing list > dnsdist@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/dnsdist >
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
