On Wed, Nov 11, 2015 at 04:15:18PM +0400, Nadir M. Aliyev wrote: > Dear All Thanks for your reply! > > I understand keeping authoritative and recursive services separated is > strongly recommended. Ok. > > I understand that I must set for my customers (approx. 200k) powerdns > recursive service as DNS? > > If yes in this case I must change my authorative servers ip's and its not > good idea for my hosting customers. > Also I cant limit recursion on separated pdns recursive service for external > ips via allow-recursion. > > > Currently I'm using Bind but managing a lot of bind servers is not > comfortable. So I choosed powerdns + mysql replication + heartbeat. > > > Any ideas or I wrong? :-) > > Thanks > Nadir >
Hi Nadir, For historical reasons, we had our recursive DNS and authoritative DNS on the same host/IP. We used iptables to pass local IP-space connections to the pdns-recursor and external IPs directly to the pdns authoritative server. We even run a second pdns instance to support split horizon DNS. Here is a snippit from the iptables that does the work: ###################################################################### # Allow local hosts to access the recursive name server on post 53. # Pass non-local hosts to authoritative name server on port 553. ###################################################################### *nat :DNS-ROUTE - [0:0] ## We will only affect in-coming traffic to port 53: -A PREROUTING -p udp --dport 53 -j DNS-ROUTE -A PREROUTING -p tcp --dport 53 -j DNS-ROUTE ## Let local hosts access the recursor (on post 53): ## Add similar lines for any local address spaces -A DNS-ROUTE -s 10.0.0.0/8 -j ACCEPT -A DNS-ROUTE -s 192.168.0.0/16 -j ACCEPT -A DNS-ROUTE -s 172.16.0.0/16 -j ACCEPT ## Divert all others to the authoritative server on port 553: -A DNS-ROUTE -p udp -m udp -j DNAT --to-destination :553 -A DNS-ROUTE -p tcp -m tcp -j DNAT --to-destination :553 This is for a Linux system, but it should be similar for others as well. Regards, Ken _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
