Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
> I am considering migrating my current BIND-Based setup to PowerDNS. May I ask why? Winfried ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
On Wed, Nov 15, 2023, at 12:11, Sebastian Neumann wrote: > 3. Install a Response Policy Zone (RPZ) in the recursor to *override* the > results provided by the auth for queries from internal clients > > Thanks a lot for that hint, I will look into that. > I guess you are talking about this bit here? > https://doc.powerdns.com/recursor/lua-config/index.html > No, this section in particular: https://doc.powerdns.com/recursor/lua-config/rpz.html The rules for how to handle responses are encoded into DNS records, not written in LUA, and most importantly there is no method to get a response from another server. You either allow the response from the (sole) 'external' auth server to flow through, or you override it directly in the recursor. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
On 15/11/2023 17:11, Sebastian Neumann via Pdns-users wrote: 3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients Thanks a lot for that hint, I will look into that. I guess you are talking about this bit here? https://doc.powerdns.com/recursor/lua-config/index.html So I would need to write some lua-code that gets executed before the response is being returned, and in case the response is a NXDOMAIN, I make a new lookup towards the external-pdns-auth server and return whatever that one returns? No, you just need to load the RPZ. https://doc.powerdns.com/recursor/lua-config/rpz.html ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
Note that even with this setup, your clients will need to point to one IP address (the pdns-recursor server), and your NS records will need to point to a different IP address (the pdns-auth server with the externally visible zones). So you will need to renumber one or the other. That would be fine for me. I also don't need both instances to have the same IP-Adress. About the "3. Set up forwarding rules on pdns-recursor for your internal zones, pointing at your internal pdns-auth": When I have stuff like: foo.example.com IN A 127.0.0.1 (internal only) bar.example.com IN A 99.99.99.99 (internal and external) Then that's the same zone. And I have hundrets of those DNS-Records that need to be accessible in both "views", as well as hundrets that are internal-only. I agree, it would have been better to use completely different zones for internal and external stuff in the beginning, but sadly I have to deal with the current setup. Would I now have to make forwarding-rules for every of those records in pwns-recursor? Like: When foo.example.com is requested, then ask internal-pwdns-auth, when bar.example.com is requested, then ask external-pdns-auth. Because then I would need to duplicate all internal DNS-Records in the recursor as well as define them in the internal-pdns-auth. So I end up with two places to configure again, which brings the same downsides. 3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients Thanks a lot for that hint, I will look into that. I guess you are talking about this bit here? https://doc.powerdns.com/recursor/lua-config/index.html So I would need to write some lua-code that gets executed before the response is being returned, and in case the response is a NXDOMAIN, I make a new lookup towards the external-pdns-auth server and return whatever that one returns? Cheers Sebastian Gesendet: Mittwoch, 15. November 2023 um 17:53 Uhr Von: "Kevin P. Fleming via Pdns-users" An: "Pdns-users" Cc: "Kevin P. Fleming" Betreff: Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external) On Wed, Nov 15, 2023, at 11:05, Brian Candler via Pdns-users wrote: On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote: Hey, I am considering migrating my current BIND-Based setup to PowerDNS. For multiple zones, I currently have split-view in bind, so that I can define DNS-Records available only for internal clients. To achieve this, I have the following zonefiles: mydomain.com.ext.zone <- This zonefile is used for the external view mydomain.com.int.zone <- This zonesfile is used for the internal view But I also have: mydomain.com.include <- This file is included in both zonefiles, so records defined there are available in both zones. I was wondering, how I could replicate a setup like this in PowerDNS. BIND combines the roles of authoritative server and recursor; PowerDNS has separate programs (pdns and pdns-recursor) Split views are IMO a bad idea anyway, but if you wanted to do it you would need to do something like this: 1. Run pdns-recursor for your internal clients to use 2. Run an instance of pdns-auth with your internal zones There is another option to consider: 1. Run pdns-recursor for your internal clients to use 2. Run pdns-auth for the external view of the zones 3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients Those overrides can add new records, hide existing records, or replace records with alternative answers. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
On Wed, Nov 15, 2023, at 11:05, Brian Candler via Pdns-users wrote: > On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote: >> Hey, >> >> I am considering migrating my current BIND-Based setup to PowerDNS. >> >> For multiple zones, I currently have split-view in bind, so that I can >> define DNS-Records available only for internal clients. >> >> To achieve this, I have the following zonefiles: >> >> mydomain.com.ext.zone <- This zonefile is used for the external view >> mydomain.com.int.zone <- This zonesfile is used for the internal view >> >> But I also have: >> mydomain.com.include<- This file is included in both zonefiles, so >> records defined there are available in both zones. >> >> >> I was wondering, how I could replicate a setup like this in PowerDNS. > BIND combines the roles of authoritative server and recursor; PowerDNS has > separate programs (pdns and pdns-recursor) > > Split views are IMO a bad idea anyway, but if you wanted to do it you would > need to do something like this: > > > 1. Run pdns-recursor for your internal clients to use > 2. Run an instance of pdns-auth with your internal zones > There is another option to consider: 1. Run pdns-recursor for your internal clients to use 2. Run pdns-auth for the external view of the zones 3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients Those overrides can add new records, hide existing records, or replace records with alternative answers. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote: Hey, I am considering migrating my current BIND-Based setup to PowerDNS. For multiple zones, I currently have split-view in bind, so that I can define DNS-Records available only for internal clients. To achieve this, I have the following zonefiles: mydomain.com.ext.zone <- This zonefile is used for the external view mydomain.com.int.zone <- This zonesfile is used for the internal view But I also have: mydomain.com.include <- This file is included in both zonefiles, so records defined there are available in both zones. I was wondering, how I could replicate a setup like this in PowerDNS. BIND combines the roles of authoritative server and recursor; PowerDNS has separate programs (pdns and pdns-recursor) Split views are IMO a bad idea anyway, but if you wanted to do it you would need to do something like this: 1. Run pdns-recursor for your internal clients to use 2. Run an instance of pdns-auth with your internal zones 3. Set up forwarding rules on pdns-recursor for your internal zones, pointing at your internal pdns-auth 4. Run a separate instance of pdns-auth with your external zones (i.e. the ones which your NS records point at) Note that even with this setup, your clients will need to point to one IP address (the pdns-recursor server), and your NS records will need to point to a different IP address (the pdns-auth server with the externally visible zones). So you will need to renumber one or the other. If you really, really, really want to have a single IP address that performs both functions, then you will indeed need to put dnsdist on that address. But I would strongly advise against it; it's too many moving parts. Either just renumber your recursor IP (maybe you can give the new address to all your clients using DHCP), or renumber your external auth nameserver (which just means changing the A record for your nameserver, and possibly glue records). PowerDNS is designed for use in large-scale ISP operations, where it is best practice to separate recursor and authoritative services and run them on different IP addresses. But for DNS-Records that I want to have for internal AND external clients, I would need to create them in both PowerDNS-instances. To me, the risk seems too high, that by accident, DNS-Records are only created/updated on one PowerDNS-Instance, but not on the other. That is one of the (several) risks associated with split DNS, yes. Regards, Brian. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Share DNS-Records between two zones/views (internal & external)
Hey, I am considering migrating my current BIND-Based setup to PowerDNS. For multiple zones, I currently have split-view in bind, so that I can define DNS-Records available only for internal clients. To achieve this, I have the following zonefiles: mydomain.com.ext.zone <- This zonefile is used for the external view mydomain.com.int.zone <- This zonesfile is used for the internal view But I also have: mydomain.com.include <- This file is included in both zonefiles, so records defined there are available in both zones. I was wondering, how I could replicate a setup like this in PowerDNS. >From what I was able to search online, in PowerDNS I can not have split views, but would need to use different PowerDNS instances and then something like dnsdist to forward queries based on the source IP. But for DNS-Records that I want to have for internal AND external clients, I would need to create them in both PowerDNS-instances. To me, the risk seems too high, that by accident, DNS-Records are only created/updated on one PowerDNS-Instance, but not on the other. I was thinking about something like: The internal DNS-Server is authorative for mydomain.com and answers what it has, BUT instead of returning NXDOMAIN itself, it would forward the query to the external DNS-Server as well, who then either can resolve, or will return the "final" NXDOMAIN. But that seems impossible. Does anyone know how to achieve those "shared" records? Thanks a lot Sebastian ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
