Hi Eli,
On 03.08.22 01:43, eli glynn via Pdns-users wrote:
I've recently inherited a really ugly mess at my company, involving a
muddle of PowerDNS, Route53, NS1, and just about every mixed up
interaction you could imagine between them all.
The biggest part of the jumble is the way PowerDNS was used as a
poor-mans split horizon - we have a large number of records which point
at internal (e.g. 10.x) ranges, with duplicate entries in Route53 AND/OR
NS1 (don't ask) usually pointing at routable IPs. There's a lot of
badness beyond just that, but the majority of my pain is from that basic
situation.
Because the client systems are pointed at PDNS, and it considers itself
authoritative, we're forced to duplicate ALL external records
Not sure if I got that right, but "clients" may only ask a Resolver
(PowerDNS Recursor) and never an Auth (PowerDNS Authoritative).
(overridden or not) within PDNS, or NXDOMAINs result. This of course
leads to two (or sometimes three) sources of truth for all RRs, and
historically the needed due diligence has not been performed to keep
them in sync.
Long story short, in order to clean up the mess, I'm hoping to implement
an "overlay" in PowerDNS, whereby PDNS only contains the RRs which it
needs to override. If a record would normally be identical to the
external value (Route53 or NS1) then rather than duplicating it, I'd
like PowerDNS to fail through and do a recursive lookup externally,
returning that value to the client. So basically, if an NXDOMAIN or
NODATA would be returned for a zone PDNS considers itself authoritative
for, it instead recurses and emits whatever comes back from there.
It seems this should be doable using a `postresolve()` hook, or even
better `nxdomain()` combined with `nodata()` to minimize Lua
roundtrips. But I'm having a heckuva time implementing the recursion
part. I can't find any canned tooling within Lua to do something
theoretically simple (e.g. what in python you'd do with `import socket ;
return socket.gethostbyname("blah")`). I've also considered writing a
custom backend but would prefer to keep things simple if at all possible
I know this is an unusual use-case (though I can see where such an
"overlay" could be very useful in a number of scenarios).
Any feedback would be appreciated - suggestions, alternate approaches,
or even a flat "you can't do that in PowerDNS" if such is the case - it
will save me a lot of cycles if so :)
What about Recursoes "forward-zones" or "forward-zones-file" features?
This way you could forward queries for your internal Domain Names to
your internal Auhoritative Nameserver.
https://doc.powerdns.com/recursor/settings.html#forward-zones
https://doc.powerdns.com/recursor/settings.html#forward-zones-file
Winfried
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
