[dnsdist] Config for authoritative resolver and local recursive resolver

Mon, 28 Mar 2022 09:23:30 -0700 

Hi,

I have a setup of PowerDNS where I need to answer all queries for a domain I've 
registered (let's say mydomain.com). I also want to use the server to answer 
all requests (recursive or authoritative) originating from my local network. 
Since I use AD, some requisitions need to go the AD server (let's say 
addomain.internal). Last, I created a blacklist. The authoritative PowerDNS is 
running in localhost, port 5300, and the blacklist PowerDNS (which will answer 
127.0.0.1 for anything) is in localhost port 5302.

I would like some opinions if the following setup for dnsdist.conf is adequate 
or if I should change something:


-- dnsdist configuration file, an example can be found in 
/usr/share/doc/dnsdist/examples/
setLocal('0.0.0.0:53')
addLocal('[0::0]:53')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access

newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5300', pool='reverse'})
newServer({address='127.0.0.1:5302', pool='blackhole'})
newServer({address='<ad PDC IP address>:53', pool='ad'})
newServer({address="8.8.8.8:53", pool="recursive"})
newServer({address="1.1.1.1:53", pool="recursive"})

-- My black list
addAction({"<undesired domain 1>."}, PoolAction("blackhole"))
addAction({"<undesired domain 2>."}, PoolAction("blackhole"))

addAction({"addomain.internal."}, PoolAction("ad"))
addAction({"mydomain.com."}, PoolAction("auth"))
--  My IP addresses. I have a class C (/24) IP4 and a /48 IP6
addAction({'3.2.1.in-addr.arpa'}, PoolAction("reverse"))
addAction({'d.c.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa'}, PoolAction("reverse"))

-- based in https://boisetech.org/2020/02/25/configuring-dnsdist-a-basic-config/
doh_ips=newNMG()
doh_ips:addMask('0.0.0.0/0')
doh_ips:addMask('::/0')
addAction(AndRule({NetmaskGroupRule(doh_ips, true), DSTPortRule(5053)}), 
PoolAction('recursive'))

recursive_ips=newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('::1/128')
recursive_ips:addMask('fe80::/10')
recursive_ips:addMask('1.2.3.0/24')
recursive_ips:addMask('123456789abcd::0/64')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursive'))


-- disable security status polling via DNS
setSecurityPollSuffix("")

-- Webserver. Based in https://dnsdist.org/guides/webserver.html
webserver("0.0.0.0:8083", "user", "somepass",{})


Is this setup adequate? Would someone suggest something different/better?

Tks,

Roberto Greiner

[cid:[email protected]]


_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Reply via email to