Than you I'll have a look at your dnsdist suggestion, I hadn't considered that yet.
I'd rather not get into an off topic argument about the various reasons for using an FQDN in a firewall rule versus undisclosed public IP addresses. And I have no intention of requesting that cache management is made more complex. On 17 Sept 2022, 18:42, at 18:42, Otto Moerbeek <o...@drijf.net> wrote: > >Cache maintenace is alreayd quite a complex part of any recursor. IMO >adding cache syncing would introduce way too much complexity te be >worth the trouble to solve what in essense is a questionable firewall >rule design. > >Maybe dnsdist with a packet cache in front of two recursors might >be worth considering. > > -Otto > >On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote: > >> Hi Otto, >> >> Thank you for the clarification. Yes, I'm aware that the source may >change, but TTL exists for that. So I don't think this is a valid >reason to not sync cache. As the current situation is worse: >> >> Resolver A caches IP address 188.8.131.52 and resolver B caches IP address >184.108.40.206. Subsequently a user types to navigate to the site, but the >firewall happened to resolve the domain via the other resolver. This >ends up causing intermittent issues as it ends up being pot luck >whether a user happens to use the same resolver that the firewall used. >> >> A cache sync would at least cause the same behaviour for all users. >And using a single resolver is too risky. >> >> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek <o...@drijf.net> >wrote: >> >Hello, >> > >> >cachs syncing is not something we have and even with it (or using a >> >single resolver) there is an issue that records can change: >> >the scenario: >> > >> > - a client asks the record, record gets cached >> > - client A asks and gets cached value, >> > - publisher of records changes the record >> > - record expires from cache >> > - client B (firewall) asks and record resolves to different value. >> > >> > >> >On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via >Pdns-users >> >wrote: >> > >> >> Just ran into an issue with recursive DNS servers where the two >> >servers have cached a different A record for mirror.centos.org. >> >> >> >> This is a problem as the firewalls permit access to the FQDN, >which >> >presumes that both the client and the firewall end up with the same >A >> >record for the domain. >> >> >> >> I'm intending to swap these recursors out with PowerDNS servers, >but >> >am wondering if there's a way to keep the record cache in sync >between >> >multiple recursors. >> >> >> >> -- >> >> Best regards, >> >> Djerk Geurts >> >> m: +44-7535-674620 >> >> >> >> Maizymoo Ltd >> >> VAT No: GB192 1529 07 >> >> Registration Number: 6638104 (registered in England and Wales) >> > >> >> _______________________________________________ >> >> Pdns-users mailing list >> >> Pdnsfirstname.lastname@example.org >> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list Pdnsemail@example.com https://mailman.powerdns.com/mailman/listinfo/pdns-users