This is great, thank you!
I'd been staring at the problem for too long, my objectivity was gone.
These suggestions clear out some cobwebs!
Thanks again.
CH
On 2022-11-17 11:58 PM, Brian Candler wrote:
> On 17/11/2022 22:48, Michael Hallager via Pdns-users wrote:
>
>> I recommend you fix your underlying issues now by getting all your servers
>> onto the same net block or net blocks which can route between each other
>> without NAT.
>
> Also I'd suggest fixing the other underlying issue, which is that a single IP
> address is used for answering both recursive DNS and authoritative DNS. If
> you put the recursor and [ext] authoritative on different IPs, then dnsdist
> can vanish and a lot of complexity disappears.
>
> Since the [ext] authoritative servers would have their own dedicated public
> IPs, then there would be no issue with notifies and zone transfers between
> them.
>
> The [int] authoritative servers can all be bound to private IPs, and can be
> VPN'd together. The only clients which send requests to them are their local
> recursors.
>
> Unfortunately this does involve config changes, but you have two options:
>
> 1. Change the IP address of the recursors: you must change all the client
> machines to point to these new IPs
> 2. Change the IP address of the ext authoritative servers: you must change
> either the NS records in your public zones, or the A records associated with
> your NS records (and glue records where you have them)
>
> If you choose option 1, and you bind your recursive servers to private IPs,
> then you don't need any extra public IP addresses.
>
> However for performance reasons, it's better if you can give your recursors
> public IP addresses as well. This is so that the outbound queries they send
> don't have to go via NAT, which could generate a lot of NAT states in the NAT
> router they are sitting behind. But of course, the int recursor *can* share
> the same public IP address as the ext authoritative.
>
> So you could build it like this, if you don't need to serve recursor clients
> on the public Internet, and you can put two 10.x.x.x private IPs on each
> server:
>
> * pdns_server [external] binds to public IP port 53
> * pdns_recursor binds to internal IP 1 port 53 . It uses the public IP for
> outbound queries, and forwards requests for local domains pdns_server
> [internal]
> * pdns_server [internal] binds to internal IP 2 port 53 (and/or to a 127
> address; the second internal IP is for these servers to do zone transfers)
>
> Regards,
>
> Brian.
--
CH <ch-and-pdns-us...@ch.pkts.ca>
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
