Hi Brian,
Thank you for your feedback.
On 04-10-2021 14:54, Brian Candler wrote:
[snip]
No. There's no need for dnsdist unless you have a specially complex or
unusual installations. It's only shown that way in the document you
quote for people who are *forced* to put both authoritative and
recursive nameservice on the same IP address, for legacy reasons or
because of bad planning.
All you want is:
* Internet -> auth (for serving the public zones) [note 1]
* VMs/VPN clients -> recursor [note 2, 3]
[note 1]: public zones need to be served by at least *two* auth servers
located in at least two different networks (autonomous systems), and
preferably different continents. See RFC 2182.
Thanks, RFC2182 is on my reading list.
[note 2]: you probably want two recursors for redundancy too.
Yes that makes sense.
[note 3]: as long as your public zones are properly public and
delegated, there is no need to point your recursor at your auth servers:
the recursor will follow the published NS records just like everyone else.
Got it. That sounds like a nice test to see if everything it working as
it's supposed to.
However if you have *private* domains, that are only visible to your own
recursor users, that's when you look at using forward-zones - and you
might have to use negative trust anchors (NTA) if these private domains
are subdomains of a DNSSEC-signed zone. It's much simpler just to keep
the DNS public.
That sounds challenging and I like to keep things simple so private
zones are off the table.
Your authoritative nameservers need public IPs; your recursors can be
behind NAT.
Everything has a public IP but good to know that a recursor can be
behind NAT.
HTH,
It definitely does help. Thank you!
Best,
Patrick
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
