Yes sure. For that you need the Authoritative un public IP with the "allow-recursion" disabled, and the recursor configured as I told you, with the "allow-from=127.0.0.0/8,192.168.0.0/16,172.16.0.0/16 ... you know ... your internal netmasks"
Another thing you can do to improve the performance on the recursor is to enable the forward-zones directly to your auth server. Like ... forward-zones=mydomain1.com=AuthServerIP1;AuthServerIP2,mydomain2.com= AuthServerIP1;AuthServerIP2 Just to avoid have to wait until any change on your domain were replicated to the root servers. Which external CNAME? Ale From: Michael Hasenburger [mailto:[email protected]] Sent: miércoles, 14 de septiembre de 2016 12:08 To: Alejandro Adroher Mellado <[email protected]>; [email protected] Subject: AW: Need a solution to use an resolver for external CNAME's > I have note very clear what you are looking for .... It seems you need an > Authoritative for your domains (which can be queried by everyone) and also a > recursor for internal use only. Yes, that's exactly what we want. Actually our DNS server is fully opened and we got an information from cert-bund.de that we're frail for a DNS Amplification attack. My idea is to close the recursor for public. But it doesn't query external CNAME for example. Is it possible to configure? Thank you very much. BR Mike Von: Alejandro Adroher Mellado [mailto:[email protected]] Gesendet: Mittwoch, 14. September 2016 11:48 An: Michael Hasenburger; [email protected]<mailto:[email protected]> Betreff: RE: Need a solution to use an resolver for external CNAME's Hi, A resolver by definition goes to the root servers to find answers to the queries received. If you want to ask for an external CNAME, you need a recursor, but using f.e. the "allow-from=172.16.0.0/16" (being this your internal network), close your recursor service to the external world. You could use it, but I'm not. You say: "We want a public DNS server, but resolve queries for existing database entries only. Seems not possible to configure." For that having only an Authoritative Service is enough. I have note very clear what you are looking for .... It seems you need an Authoritative for your domains (which can be queried by everyone) and also a recursor for internal use only. Can you clarify this for me? XD Ale From: Michael Hasenburger [mailto:[email protected]] Sent: miércoles, 14 de septiembre de 2016 11:34 To: Alejandro Adroher Mellado <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: AW: Need a solution to use an resolver for external CNAME's Hi Ale, I also configured pdns-resolver with allow-from localhost, but it does resolve all request from powerdns. We want a public DNS server, but resolve queries for existing database entries only. Seems not possible to configure. BR Mike Von: Alejandro Adroher Mellado [mailto:[email protected]] Gesendet: Mittwoch, 14. September 2016 10:48 An: EDV-Techniker; [email protected]<mailto:[email protected]> Betreff: RE: Need a solution to use an resolver for external CNAME's Hi Mike, Use ACL to close your resolver allow-from=your internal allowed netmasks Ale From: Pdns-users [mailto:[email protected]] On Behalf Of EDV-Techniker Sent: miércoles, 14 de septiembre de 2016 10:08 To: [email protected]<mailto:[email protected]> Subject: [Pdns-users] Need a solution to use an resolver for external CNAME's Hi, we want using a nameserver for our domains only. I can be done without configure a resolver. Works fine but if query f.e. an external CNAME, which A record doesn't exist at our database, then PowerDNS doesn't resolve. Using a resolver does solve this problem. But now the DNS server is open and frail for attacks. Is there a solution to use an resolver to query existing database entries only? BR Mike MAREL IT solutions
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
