Re: [Pdns-users] PDNS recursor cache sync

2022-09-17 Thread Djerk Geurts via Pdns-users 
That may be true for a SOHO environment. But for a corporate network with 
numerous firewalls, my option is that firewalls should be firewalls. Tagging 
core services into a security appliance is not the right solution for DNS 
servers that manage to cache different results.

I like Otto's suggestion of dnsdist. As it puts the onus on the design of the 
DNS servers to ensure that all clients end up resolving the same records.

On 17 Sept 2022, 19:24, at 19:24, Oscar Zovo  wrote:
>If you are applying a firewall rule based on hostname, it makes sense
>that
>the firewall should be the one providing DNS  recursive service to the
>DNS
>clients or to the downstream DNS caching servers, or you should resort
>to
>URL filtering.
>
>
>Best Regards,
>Óscar Zovo.
>
>A sábado, 17/09/2022, 01:01, Djerk Geurts via Pdns-users <
>pdns-users@mailman.powerdns.com> escreveu:
>
>> Just ran into an issue with recursive DNS servers where the two
>servers
>> have cached a different A record for mirror.centos.org.
>>
>> This is a problem as the firewalls permit access to the FQDN, which
>> presumes that both the client and the firewall end up with the same A
>> record for the domain.
>>
>> I'm intending to swap these recursors out with PowerDNS servers, but
>am
>> wondering if there's a way to keep the record cache in sync between
>> multiple recursors.
>>
>> --
>> Best regards,
>> *Djerk Geurts*
>> m: +44-7535-674620
>>
>> *Maizymoo Ltd* 
>> VAT No: GB192 1529 07
>> Registration Number: 6638104 (registered in England and Wales)
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

2022-09-17 Thread Djerk Geurts via Pdns-users 
Than you  I'll have a look at your dnsdist suggestion, I hadn't considered that 
yet.

I'd rather not get into an off topic argument about the various reasons for 
using an FQDN in a firewall rule versus undisclosed public IP addresses. And I 
have no intention of requesting that cache management is made more complex.

On 17 Sept 2022, 18:42, at 18:42, Otto Moerbeek  wrote:
>
>Cache maintenace is alreayd quite a complex part of any recursor.  IMO
>adding cache syncing would introduce way too much complexity te be
>worth the trouble to solve what in essense is a questionable firewall
>rule design.
>
>Maybe dnsdist with a packet cache in front of two recursors might
>be worth considering.
>
>   -Otto
>
>On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote:
>
>> Hi Otto,
>>
>> Thank you for the clarification. Yes, I'm aware that the source may
>change, but TTL exists for that. So I don't think this is a valid
>reason to not sync cache. As the current situation is worse:
>>
>> Resolver A caches IP address 1.1.1.1 and resolver B caches IP address
>2.2.2.2. Subsequently a user types to navigate to the site, but the
>firewall happened to resolve the domain via the other resolver. This
>ends up causing intermittent issues as it ends up being pot luck
>whether a user happens to use the same resolver that the firewall used.
>>
>> A cache sync would at least cause the same behaviour for all users.
>And using a single resolver is too risky.
>>
>> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek 
>wrote:
>> >Hello,
>> >
>> >cachs syncing is not something we have and even with it (or using a
>> >single resolver) there is an issue that records can change:
>> >the scenario:
>> >
>> >- a client asks the record, record gets cached
>> >- client A asks and gets cached value,
>> >- publisher of records changes the record
>> >- record expires from cache
>> >- client B (firewall) asks and record resolves to different value.
>> >
>> >
>> >On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via
>Pdns-users
>> >wrote:
>> >
>> >> Just ran into an issue with recursive DNS servers where the two
>> >servers have cached a different A record for mirror.centos.org.
>> >>
>> >> This is a problem as the firewalls permit access to the FQDN,
>which
>> >presumes that both the client and the firewall end up with the same
>A
>> >record for the domain.
>> >>
>> >> I'm intending to swap these recursors out with PowerDNS servers,
>but
>> >am wondering if there's a way to keep the record cache in sync
>between
>> >multiple recursors.
>> >>
>> >> ⁣--
>> >> Best regards,
>> >> Djerk Geurts
>> >> m: +44-7535-674620
>> >>
>> >> Maizymoo Ltd
>> >> VAT No: GB192 1529 07
>> >> Registration Number: 6638104 (registered in England and Wales)​
>> >
>> >> ___
>> >> Pdns-users mailing list
>> >> Pdns-users@mailman.powerdns.com
>> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

2022-09-17 Thread Oscar Zovo via Pdns-users 
If you are applying a firewall rule based on hostname, it makes sense that
the firewall should be the one providing DNS  recursive service to the DNS
clients or to the downstream DNS caching servers, or you should resort to
URL filtering.


Best Regards,
Óscar Zovo.

A sábado, 17/09/2022, 01:01, Djerk Geurts via Pdns-users <
pdns-users@mailman.powerdns.com> escreveu:

> Just ran into an issue with recursive DNS servers where the two servers
> have cached a different A record for mirror.centos.org.
>
> This is a problem as the firewalls permit access to the FQDN, which
> presumes that both the client and the firewall end up with the same A
> record for the domain.
>
> I'm intending to swap these recursors out with PowerDNS servers, but am
> wondering if there's a way to keep the record cache in sync between
> multiple recursors.
>
> --
> Best regards,
> *Djerk Geurts*
> m: +44-7535-674620
>
> *Maizymoo Ltd* 
> VAT No: GB192 1529 07
> Registration Number: 6638104 (registered in England and Wales)
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

2022-09-17 Thread Otto Moerbeek via Pdns-users 

Cache maintenace is alreayd quite a complex part of any recursor.  IMO
adding cache syncing would introduce way too much complexity te be
worth the trouble to solve what in essense is a questionable firewall
rule design. 

Maybe dnsdist with a packet cache in front of two recursors might
be worth considering.

-Otto

On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote:

> Hi Otto,
> 
> Thank you for the clarification. Yes, I'm aware that the source may change, 
> but TTL exists for that. So I don't think this is a valid reason to not sync 
> cache. As the current situation is worse:
> 
> Resolver A caches IP address 1.1.1.1 and resolver B caches IP address 
> 2.2.2.2. Subsequently a user types to navigate to the site, but the firewall 
> happened to resolve the domain via the other resolver. This ends up causing 
> intermittent issues as it ends up being pot luck whether a user happens to 
> use the same resolver that the firewall used.
> 
> A cache sync would at least cause the same behaviour for all users. And using 
> a single resolver is too risky.
> 
> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek  wrote:
> >Hello,
> >
> >cachs syncing is not something we have and even with it (or using a
> >single resolver) there is an issue that records can change:
> >the scenario:
> >
> > - a client asks the record, record gets cached
> > - client A asks and gets cached value,
> > - publisher of records changes the record
> > - record expires from cache
> > - client B (firewall) asks and record resolves to different value.
> >
> >
> >On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users
> >wrote:
> >
> >> Just ran into an issue with recursive DNS servers where the two
> >servers have cached a different A record for mirror.centos.org.
> >>
> >> This is a problem as the firewalls permit access to the FQDN, which
> >presumes that both the client and the firewall end up with the same A
> >record for the domain.
> >>
> >> I'm intending to swap these recursors out with PowerDNS servers, but
> >am wondering if there's a way to keep the record cache in sync between
> >multiple recursors.
> >>
> >> ⁣--
> >> Best regards,
> >> Djerk Geurts
> >> m: +44-7535-674620
> >>
> >> Maizymoo Ltd
> >> VAT No: GB192 1529 07
> >> Registration Number: 6638104 (registered in England and Wales)​
> >
> >> ___
> >> Pdns-users mailing list
> >> Pdns-users@mailman.powerdns.com
> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

2022-09-17 Thread Djerk Geurts via Pdns-users 
Hi Otto,

Thank you for the clarification. Yes, I'm aware that the source may change, but 
TTL exists for that. So I don't think this is a valid reason to not sync cache. 
As the current situation is worse:

Resolver A caches IP address 1.1.1.1 and resolver B caches IP address 2.2.2.2. 
Subsequently a user types to navigate to the site, but the firewall happened to 
resolve the domain via the other resolver. This ends up causing intermittent 
issues as it ends up being pot luck whether a user happens to use the same 
resolver that the firewall used.

A cache sync would at least cause the same behaviour for all users. And using a 
single resolver is too risky.

On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek  wrote:
>Hello,
>
>cachs syncing is not something we have and even with it (or using a
>single resolver) there is an issue that records can change:
>the scenario:
>
>   - a client asks the record, record gets cached
>   - client A asks and gets cached value,
>   - publisher of records changes the record
>   - record expires from cache
>   - client B (firewall) asks and record resolves to different value.
>
>
>On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users
>wrote:
>
>> Just ran into an issue with recursive DNS servers where the two
>servers have cached a different A record for mirror.centos.org.
>>
>> This is a problem as the firewalls permit access to the FQDN, which
>presumes that both the client and the firewall end up with the same A
>record for the domain.
>>
>> I'm intending to swap these recursors out with PowerDNS servers, but
>am wondering if there's a way to keep the record cache in sync between
>multiple recursors.
>>
>> ⁣--
>> Best regards,
>> Djerk Geurts
>> m: +44-7535-674620
>>
>> Maizymoo Ltd
>> VAT No: GB192 1529 07
>> Registration Number: 6638104 (registered in England and Wales)​
>
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

2022-09-17 Thread Otto Moerbeek via Pdns-users 
Hello,

cachs syncing is not something we have and even with it (or using a
single resolver) there is an issue that records can change:
the scenario: 

- a client asks the record, record gets cached
- client A asks and gets cached value,
- publisher of records changes the record
- record expires from cache
- client B (firewall) asks and record resolves to different value.


On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users wrote:

> Just ran into an issue with recursive DNS servers where the two servers have 
> cached a different A record for mirror.centos.org.
> 
> This is a problem as the firewalls permit access to the FQDN, which presumes 
> that both the client and the firewall end up with the same A record for the 
> domain.
> 
> I'm intending to swap these recursors out with PowerDNS servers, but am 
> wondering if there's a way to keep the record cache in sync between multiple 
> recursors.
> 
> ⁣--
> Best regards,
> Djerk Geurts
> m: +44-7535-674620
> 
> Maizymoo Ltd
> VAT No: GB192 1529 07
> Registration Number: 6638104 (registered in England and Wales)​

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PDNS recursor cache sync

2022-09-16 Thread Djerk Geurts via Pdns-users 
Just ran into an issue with recursive DNS servers where the two servers have 
cached a different A record for mirror.centos.org.

This is a problem as the firewalls permit access to the FQDN, which presumes 
that both the client and the firewall end up with the same A record for the 
domain.

I'm intending to swap these recursors out with PowerDNS servers, but am 
wondering if there's a way to keep the record cache in sync between multiple 
recursors.

⁣--
Best regards,
Djerk Geurts
m: +44-7535-674620

Maizymoo Ltd
VAT No: GB192 1529 07
Registration Number: 6638104 (registered in England and Wales)​___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users