On 3 August 2022 6.53.11 UTC, Winfried Angele via Pdns-users
<pdns-users@mailman.powerdns.com> wrote:
>Hi Eli,
>
>On 03.08.22 01:43, eli glynn via Pdns-users wrote:
>> I've recently inherited a really ugly mess at my company, involving a muddle
>> of PowerDNS, Route53, NS1, and just about every mixed up interaction you
>> could imagine between them all.
>>
>> The biggest part of the jumble is the way PowerDNS was used as a poor-mans
>> split horizon - we have a large number of records which point at internal
>> (e.g. 10.x) ranges, with duplicate entries in Route53 AND/OR NS1 (don't ask)
>> usually pointing at routable IPs. There's a lot of badness beyond just
>> that, but the majority of my pain is from that basic situation.
>>
>> Because the client systems are pointed at PDNS, and it considers itself
>> authoritative, we're forced to duplicate ALL external records
>
>Not sure if I got that right, but "clients" may only ask a Resolver (PowerDNS
>Recursor) and never an Auth (PowerDNS Authoritative).
>
>> (overridden or not) within PDNS, or NXDOMAINs result. This of course leads
>> to two (or sometimes three) sources of truth for all RRs, and historically
>> the needed due diligence has not been performed to keep them in sync.
>>
>> Long story short, in order to clean up the mess, I'm hoping to implement an
>> "overlay" in PowerDNS, whereby PDNS only contains the RRs which it needs to
>> override. If a record would normally be identical to the external value
>> (Route53 or NS1) then rather than duplicating it, I'd like PowerDNS to fail
>> through and do a recursive lookup externally, returning that value to the
>> client. So basically, if an NXDOMAIN or NODATA would be returned for a zone
>> PDNS considers itself authoritative for, it instead recurses and emits
>> whatever comes back from there.
>>
>> It seems this should be doable using a `postresolve()` hook, or even better
>> `nxdomain()` combined with `nodata()` to minimize Lua roundtrips. But I'm
>> having a heckuva time implementing the recursion part. I can't find any
>> canned tooling within Lua to do something theoretically simple (e.g. what in
>> python you'd do with `import socket ; return socket.gethostbyname("blah")`).
>> I've also considered writing a custom backend but would prefer to keep
>> things simple if at all possible
>>
>> I know this is an unusual use-case (though I can see where such an "overlay"
>> could be very useful in a number of scenarios).
>>
>> Any feedback would be appreciated - suggestions, alternate approaches, or
>> even a flat "you can't do that in PowerDNS" if such is the case - it will
>> save me a lot of cycles if so :)
>
>What about Recursoes "forward-zones" or "forward-zones-file" features? This
>way you could forward queries for your internal Domain Names to your internal
>Auhoritative Nameserver.
>
>https://doc.powerdns.com/recursor/settings.html#forward-zones
>https://doc.powerdns.com/recursor/settings.html#forward-zones-file
>
>Winfried
>_______________________________________________
>Pdns-users mailing list
>Pdns-users@mailman.powerdns.com
>https://mailman.powerdns.com/mailman/listinfo/pdns-users
Or you could use dnsdist. See https://dnsdist.org - it is recommended for these
kinds of things.
--
Aki
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
