Hello Patrick, > Each of my dns servers runs pdns and each has a slave copy of the > master pdns mysql database and in turn each server looks up the dns > locally via mysql. This has been working great for 2 years. > > The problem each server is running pdns which has a DOS vulnerability. > which is why I am upgrading to implement recursor. > [email protected] <http://mydomain.com> - on server 1 > [email protected] <http://mydomain.com> - on server 2 > [email protected] <http://mydomain.com> - on server 3 > [email protected] <mailto:[email protected]> - on server 4 > Sounds like you are trying to solve this problem the wrong way.
A recursor can not act as an authoritive server for a domain, when serving domains, you need an authoritive servers like pdns (for example: bind may combine the 2 functions into one server, but it can also by default not be authoritive for domains it does not have the data for). If you are worried about mysql being to slow to handle a DOS attack, you should eliminate the database on (some of) the public servers 1. you should use something like the "bind-zone file backend" (files on disk, instead of database) on those servers, that should be the fastest 2. those servers would be slave servers, the server with the database is the master server I thought I could recommend superslave operation where new domains are automatically recognised and added, but it seems like that is not supported on the file backend. Bert: it looks like the option exists in the code, but it is not in the documentation on http://doc.powerdns.com/ ?: supermaster-config: Location of (part of) named.conf where pdns can write zone-statements to supermasters: List of IP-addresses of supermasters supermaster-destdir: Destination directory for newly added slave zones PS with superslaves, domains are not deleted, you should create a script for that. _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
