Re: [Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
Hi Thomas, Thank you for your feedback. On 04-10-2021 14:46, Thomas Mieslinger via Pdns-users wrote: Internet -> auth (for serving the public zones) does also work Got it. VMs/VPN clients -> recursor (put internal zones in forward.zones) ->auth Thanks, I'll read up on forward.zones. Best, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
Hi Brian, Thank you for your feedback. On 04-10-2021 14:54, Brian Candler wrote: [snip] No. There's no need for dnsdist unless you have a specially complex or unusual installations. It's only shown that way in the document you quote for people who are *forced* to put both authoritative and recursive nameservice on the same IP address, for legacy reasons or because of bad planning. All you want is: * Internet -> auth (for serving the public zones) [note 1] * VMs/VPN clients -> recursor [note 2, 3] [note 1]: public zones need to be served by at least *two* auth servers located in at least two different networks (autonomous systems), and preferably different continents. See RFC 2182. Thanks, RFC2182 is on my reading list. [note 2]: you probably want two recursors for redundancy too. Yes that makes sense. [note 3]: as long as your public zones are properly public and delegated, there is no need to point your recursor at your auth servers: the recursor will follow the published NS records just like everyone else. Got it. That sounds like a nice test to see if everything it working as it's supposed to. However if you have *private* domains, that are only visible to your own recursor users, that's when you look at using forward-zones - and you might have to use negative trust anchors (NTA) if these private domains are subdomains of a DNSSEC-signed zone. It's much simpler just to keep the DNS public. That sounds challenging and I like to keep things simple so private zones are off the table. Your authoritative nameservers need public IPs; your recursors can be behind NAT. Everything has a public IP but good to know that a recursor can be behind NAT. HTH, It definitely does help. Thank you! Best, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
On 04/10/2021 13:44, Patrick Laimbock via Pdns-users wrote: New to the list & PowerDNS. Pleased to meet you. I have about 50 domains, 10 VMs and 10 VPN clients I would like to setup DNS for. I went through DuckDuckGo and a bunch of ML archives but did not find any hints of a best practice architecture for this small setup. I did find: https://doc.powerdns.com/authoritative/guides/recursion.html#scenario-2-authoritative-server-as-recursor-for-clients-and-serving-public-domains Is this deduction of scenario 2 "New situation" pic on the right correct? Internet -> dnsdist -> auth (for serving the public zones) VMs/VPN clients -> dnsdist -> auth (for public/private zones) VMs/VPN clients -> dnsdist -> recursor -> Internet (for the rest) No. There's no need for dnsdist unless you have a specially complex or unusual installations. It's only shown that way in the document you quote for people who are *forced* to put both authoritative and recursive nameservice on the same IP address, for legacy reasons or because of bad planning. All you want is: * Internet -> auth (for serving the public zones) [note 1] * VMs/VPN clients -> recursor [note 2, 3] [note 1]: public zones need to be served by at least *two* auth servers located in at least two different networks (autonomous systems), and preferably different continents. See RFC 2182. [note 2]: you probably want two recursors for redundancy too. [note 3]: as long as your public zones are properly public and delegated, there is no need to point your recursor at your auth servers: the recursor will follow the published NS records just like everyone else. However if you have *private* domains, that are only visible to your own recursor users, that's when you look at using forward-zones - and you might have to use negative trust anchors (NTA) if these private domains are subdomains of a DNSSEC-signed zone. It's much simpler just to keep the DNS public. Your authoritative nameservers need public IPs; your recursors can be behind NAT. HTH, Brian. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
Internet -> auth (for serving the public zones) does also work VMs/VPN clients -> recursor (put internal zones in forward.zones) ->auth Cheers Thomas On 10/4/21 2:44 PM, Patrick Laimbock via Pdns-users wrote: Hi, New to the list & PowerDNS. Pleased to meet you. I have about 50 domains, 10 VMs and 10 VPN clients I would like to setup DNS for. I went through DuckDuckGo and a bunch of ML archives but did not find any hints of a best practice architecture for this small setup. I did find: https://doc.powerdns.com/authoritative/guides/recursion.html#scenario-2-authoritative-server-as-recursor-for-clients-and-serving-public-domains Is this deduction of scenario 2 "New situation" pic on the right correct? Internet -> dnsdist -> auth (for serving the public zones) VMs/VPN clients -> dnsdist -> auth (for public/private zones) VMs/VPN clients -> dnsdist -> recursor -> Internet (for the rest) Thank you. Best, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Best practice for serving a few public domains + auth/recursion for VMs & VPN clients
Hi, New to the list & PowerDNS. Pleased to meet you. I have about 50 domains, 10 VMs and 10 VPN clients I would like to setup DNS for. I went through DuckDuckGo and a bunch of ML archives but did not find any hints of a best practice architecture for this small setup. I did find: https://doc.powerdns.com/authoritative/guides/recursion.html#scenario-2-authoritative-server-as-recursor-for-clients-and-serving-public-domains Is this deduction of scenario 2 "New situation" pic on the right correct? Internet -> dnsdist -> auth (for serving the public zones) VMs/VPN clients -> dnsdist -> auth (for public/private zones) VMs/VPN clients -> dnsdist -> recursor -> Internet (for the rest) Thank you. Best, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users