I've asked in IRC but was instructed to ask here. I'm interested (and trying to find an ideal way) to provide a recursor which will selectively modify certain records, or "smart DNS".
Being that some may be unaware what "smart DNS" is, it's a colloquial term for modifying certain strategic records so that instead of pointing directly to the original/authentic resource (say, a webserver), the traffic is pointed to a specific address that is internally controlled - usually a reverse proxy to the "true" resource that performs some sort of modification on the content being served not offered by the upstream/"true" resource. I can't provide an actual example from implementation, because: 1.) This is still in the architectural stage, and 2.) The specific records will change from site to site. However, I can use an existing domain as an example enough for POC purposes. Some IP addresses are, obviously, not actual (as they have yet to be determined). Configurations have been provided matching these. FIRST, two reverse HTTP proxies (for round-robining) are turned up at address 1.2.3.4 and 4.3.2.1. For this example, we are assuming to be performing some modifications on http://www.w3schools.com by removing all javascript from the pages. The specifics for this content filtering proxy are left out for brevity and because they aren't important to the DNS component, but this is the model I'll use for example. Authoritatively: $ dig +short ns w3schools.com ns2.maximumasp.com. ns1.maximumasp.com. $ dig +short soa w3schools.com ns1.maximumasp.com. admin.maximumasp.com. 2005122568 7200 600 1209600 3600 $ host www.w3schools.com www.w3schools.com is an alias for cs837.wac.edgecastcdn.net. cs837.wac.edgecastcdn.net has address 192.229.173.207 $ host -t A w3schools.com w3schools.com has address 66.29.212.110 Second, an authoritative server is set up at 1.1.1.1 for the "overridden" records using pdns-4.1.3 on CentOS 7 via repo.powerdns.com. The following configuration is used: [root@auth ~]# egrep -Ev '^[[:space:]]*(#|$)' /etc/pdns/pdns.conf daemon=no dnsupdate=yes guardian=no launch=gmysql gmysql-host=localhost gmysql-user=[REDACTED] gmysql-dbname=[REDACTED] gmysql-password=[REDACTED] local-address-nonexist-fail=no resolver=8.8.8.8 setgid=pdns setuid=pdns version-string=anonymous (NOTE: Not shown are log settings, as they're only currently set for debugging) With the following records (apologies for display mangling): [root@auth ~]# mysql -e "SELECT * FROM records" [REDACTED] +----+-----------+-------------------+------+--------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+ | id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername | auth | +----+-----------+-------------------+------+--------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+ | 32 | 2 | w3schools.com | SOA | ns1.maximumasp.com admin.maximumasp.com 2005122570 7200 600 1209600 3600 | 3600 | 0 | NULL | 0 | NULL | 1 | | 33 | 2 | www.w3schools.com | A | 1.2.3.4 | 3600 | 0 | NULL | 0 | NULL | 1 | | 34 | 2 | www.w3schools.com | A | 4.3.2.1 | 3600 | 0 | NULL | 0 | NULL | 1 | +----+-----------+-------------------+------+--------------------------------------------------------------------------+------+------+-------------+----------+-----------+------+ [root@auth ~]# mysql -e "SELECT * FROM domains" [REDACTED] +----+---------------+--------+------------+--------+-----------------+---------+ | id | name | master | last_check | type | notified_serial | account | +----+---------------+--------+------------+--------+-----------------+---------+ | 2 | w3schools.com | | NULL | NATIVE | NULL | | +----+---------------+--------+------------+--------+-----------------+---------+ Third, a recursor (pdns-recursor-4.1.3 on CentOS 7 via repo.powerdns.com) is set up at 1.1.1.2 and client machines would be configured to use this as their resolver. Configuration: [root@resolver ~]# egrep -Ev '^[[:space:]]*(#|$)' /etc/pdns-recursor/recursor.conf setuid=pdns-recursor setgid=pdns-recursor disable-packetcache=yes forward-zones=.=1.1.1.1;8.8.8.8 local-address=0.0.0.0 (NOTE: Not shown are very low TTL settings and log settings, as they're only currently set for debugging) THE TL;DR: I need to be able to query 1.1.1.2 for www.w3schools.com and get a round-robin reply of 1.2.3.4 and 4.3.2.1 instead of the CNAME record " cs837.wac.edgecastcdn.net" (per above). However, I need to *also* be able to query 1.1.1.2 for, say, w3schools.com (i.e. the "naked" domain) and have it return the response from the actual authoritative nameservers (or, more accurately/ideally, the root nameservers) (e.g. per above, 66.29.212.110). Or any other domain (e.g. google.com, etc.) and have it return the record as resolved by either 1.1.1.1 or 1.1.1.2. When the SOA record above is disabled, the "naked" domain is returned fine - *but* the record returned for www.w3schools.com is a CNAME to cs837.wac.edgecastcdn.net (in other words, as it is "upstream"). Is there a way to have, say, the recursor query 8.8.8.8 if 1.1.1.1 returns an NXDOMAIN for a record? Or the auth return a record from 8.8.8.8 if it doesn't find the record in its DB?
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
