Re: [dnsdist] Dnsdist dynamic backend selection between AUTH and RECURSOR
Hello! I am aware that the solution I am aiming for is not the optimum. However, I use fly.io as a platform where I have already distributed DNSDIST containers to over 20 locations with Anycast IP. The problem comes with the limitations of the fly - one app is bound to a set of IPs. You can not distinguish within the app between different IPs on the same app. This means, I would have to start another 20 Instances of dnsdist May I can code an Pub/Sub solution or make use of the KV Store... I still have to think my way into it. If someone is interested in my fly.io solution (Alpha State, testing only, no warranty!): https://github.com/Berndinox/flyio-powerdns-dnsdist https://github.com/Berndinox/flyio-powerdns-pg BR Bernd -Ursprüngliche Nachricht- Von: Chris Hofstaedtler | Deduktiva Gesendet: Samstag, 7. Januar 2023 12:50 An: Bernd KLAUS Cc: dnsdist@mailman.powerdns.com Betreff: Re: [dnsdist] Dnsdist dynamic backend selection between AUTH and RECURSOR Hello Bernd, * Bernd KLAUS via dnsdist [230107 11:01]: > Regarding: > „ My first suggestion would be to not need to do the name based > forwarding by separating the incoming recurosr and auth traffic on ip > address or port“ > > So i should forward all querys to the recursor? I believe the best practice is to have a dedicated IP for auth services, and another dedicated IP for recursive. I'd expect Otto's suggestions to be that ^. Best, -- Chris Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Dnsdist dynamic backend selection between AUTH and RECURSOR
Hy Otto, Thanks for your Feedback. I will look into the KV thing. Regarding: „ My first suggestion would be to not need to do the name based forwarding by separating the incoming recurosr and auth traffic on ip address or port“ So i should forward all querys to the recursor? BR Bernd > Am 07.01.2023 um 10:40 schrieb Otto Moerbeek : > > Hi, > > My first suggestion would be to not need to do the name based > forwarding by separating the incoming recurosr and auth traffic on ip > address or port. If that is not feasible, take a look at > > https://dnsdist.org/reference/kvs.html > > Have a process update the kv-database and dnsdist can use that to make > its decisions. > >-Otto > > >> On Sat, Jan 07, 2023 at 10:14:17AM +0100, bernd--- via dnsdist wrote: >> >> Hello! >> >> >> >> I have a question regarding the architecture of DNSDIST in front of an >> authorative pdns instance as well as an recursor. >> >> I`ve looked at: https://doc.powerdns.com/authoritative/guides/recursion.html >> - however, the solutions described are kind of static. >> >> Eg. Domains send to the auth-instance have to be specified manually in the >> config. >> >> >> >> What I love to achieve is: >> >> >> >> Let DNSDIST dynamicly select if a Request should be send to AUTH or >> RECURSOR. >> >> For Latency, the list of AUTH-Domains should be somehow synced locally to >> the DNSDIST-Instance itself. >> >> DNSDIST should not ask AUTH always and if it fails forward the request to >> the Recursor. >> >> Also if another Domain is added to the AUTH-Instance, this domain should be >> added to the DNSDIST Config. >> >> >> >> I tought about getting the Domain List via API on Startup and adding new >> records via Control-Socket. >> >> >> >> Has someone done a similar thing already? >> >> >> >> PS: Sorry for some potential false spellings - i`m not native. >> >> >> >> BR >> >> Bernd >> >> https://berndklaus.at >> >> >> > >> ___ >> dnsdist mailing list >> dnsdist@mailman.powerdns.com >> https://mailman.powerdns.com/mailman/listinfo/dnsdist > ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Dnsdist dynamic backend selection between AUTH and RECURSOR
Hi, My first suggestion would be to not need to do the name based forwarding by separating the incoming recurosr and auth traffic on ip address or port. If that is not feasible, take a look at https://dnsdist.org/reference/kvs.html Have a process update the kv-database and dnsdist can use that to make its decisions. -Otto On Sat, Jan 07, 2023 at 10:14:17AM +0100, bernd--- via dnsdist wrote: > Hello! > > > > I have a question regarding the architecture of DNSDIST in front of an > authorative pdns instance as well as an recursor. > > I`ve looked at: https://doc.powerdns.com/authoritative/guides/recursion.html > - however, the solutions described are kind of static. > > Eg. Domains send to the auth-instance have to be specified manually in the > config. > > > > What I love to achieve is: > > > > Let DNSDIST dynamicly select if a Request should be send to AUTH or > RECURSOR. > > For Latency, the list of AUTH-Domains should be somehow synced locally to > the DNSDIST-Instance itself. > > DNSDIST should not ask AUTH always and if it fails forward the request to > the Recursor. > > Also if another Domain is added to the AUTH-Instance, this domain should be > added to the DNSDIST Config. > > > > I tought about getting the Domain List via API on Startup and adding new > records via Control-Socket. > > > > Has someone done a similar thing already? > > > > PS: Sorry for some potential false spellings - i`m not native. > > > > BR > > Bernd > > https://berndklaus.at > > > > ___ > dnsdist mailing list > dnsdist@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/dnsdist ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] Dnsdist dynamic backend selection between AUTH and RECURSOR
Hello! I have a question regarding the architecture of DNSDIST in front of an authorative pdns instance as well as an recursor. I`ve looked at: https://doc.powerdns.com/authoritative/guides/recursion.html - however, the solutions described are kind of static. Eg. Domains send to the auth-instance have to be specified manually in the config. What I love to achieve is: Let DNSDIST dynamicly select if a Request should be send to AUTH or RECURSOR. For Latency, the list of AUTH-Domains should be somehow synced locally to the DNSDIST-Instance itself. DNSDIST should not ask AUTH always and if it fails forward the request to the Recursor. Also if another Domain is added to the AUTH-Instance, this domain should be added to the DNSDIST Config. I tought about getting the Domain List via API on Startup and adding new records via Control-Socket. Has someone done a similar thing already? PS: Sorry for some potential false spellings - i`m not native. BR Bernd https://berndklaus.at ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
