Leen,
Hopefully a few last questions and I will attempt to keep it brief. I am just
having confusion on how to get the recursor servers to lookup from pdns with my
configuration. I get that being authoritative for a domain will initiate a
lookup to the defined dns server. How do I get a lookup and not expose the
pdns software to the net and get the answers through recursor.
Currently this is my setup:
Each of my dns servers runs pdns and each has a slave copy of the master pdns
mysql database and in turn each server looks up the dns locally via mysql.
This has been working great for 2 years.
The problem each server is running pdns which has a DOS vulnerability. which is
why I am upgrading to implement recursor.
ns1@mydomain.com - on server 1
n...@mydomain.com - on server 2
n...@mydomain.com - on server 3
n...@mydomain.com - on server 4
Also for testing I have ns5 setup on a new server running both pdns(5300) and
recursor (53). The pdns software from my research and security testing still
has the DOS issue. So when recursor is on ns5 responding to port 53 requests
it passes the security testing.
New Setup question:
My plan is to install recursor on each of the ns1,ns2,ns3, and ns4 servers and
then install pdns onto the fifth server (currently ns5). Should pdns on each
be responding to port 53 requests only from ns1-4 on port 53? In doing this
then I only have one databases connection supporting the ns1-4 servers and now
do not need the mysql slaves on each server. Currently all my hosting domains
are pointing to ns1-4.
So does each server ns1-4 need a forward definition to lookup on the ns5 pdns
server to get the authoritative response?
I was hoping to keep the data local to each server. Since I set it up
originally this way the dns servers have been running great. I am attempting
to avoid a single point of failure with my setup.
Thanks in advance. Like I said previously I think I am just missing a piece of
the pie to get it all together.
Patrick
On Dec 22, 2010, at 3:00 AM, pdns-users-requ...@mailman.powerdns.com wrote:
From: Leen Besselink l...@consolejunkie.net
Subject: Re: [Pdns-users] Recursor / pdns installation help
To: pdns-users@mailman.powerdns.com
Message-ID: 4d1145f4.1080...@consolejunkie.net
Content-Type: text/plain; charset=ISO-8859-1
On 12/21/2010 09:09 PM, Patrick Coffin wrote:
Leen,
Thanks for the reply. We are hosting 1000's of dns records so
entering them in the forwards is not at option.
I will take your advise to split the pdns and recursor to separate
servers.
Should I expect that if I move the pdns to a separate server that the
looks up will work correctly with the information I have given? I
would move pdns back to port 53 and keep it connected to mysql for
lookups.
I would like it to be setup that recursor queries the pdns server and
database if we are authoritative for the domain. Otherwise recursor
should looks to the authoritative server for the answer.
If the pdns server is authoritive for the domain, every recursor in the
world will look at your pdns server when it want to ask about that
domain. Because the root and TLD will point them to your pdns server.
Thus so will your own recursor.
I suggest you set up a few domains in your recursor to point to your
pdns for the domains. The few domains you use internally (don't forget
your reverse DNS blocks).
Just in case you lose connectivity to the outside world and the external
root/TLD-servers can't be reached.
Is there another resource that I can reference for this setup? I
believe I am just missing one or two pieces to get it working properly.
Well, I hope the above makes sense to you. Atleast if that is the setup
you want then it should not need any other configuration then what I
mentioned above.
I appreciate the help!
Thanks,
Patrick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
