On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote:
Hey,
I am considering migrating my current BIND-Based setup to PowerDNS.
For multiple zones, I currently have split-view in bind, so that I can
define DNS-Records available only for internal clients.
To achieve this, I have the following zonefiles:
mydomain.com.ext.zone <- This zonefile is used for the external view
mydomain.com.int.zone <- This zonesfile is used for the internal view
But I also have:
mydomain.com.include <- This file is included in both zonefiles, so
records defined there are available in both zones.
I was wondering, how I could replicate a setup like this in PowerDNS.
BIND combines the roles of authoritative server and recursor; PowerDNS
has separate programs (pdns and pdns-recursor)
Split views are IMO a bad idea anyway, but if you wanted to do it you
would need to do something like this:
1. Run pdns-recursor for your internal clients to use
2. Run an instance of pdns-auth with your internal zones
3. Set up forwarding rules on pdns-recursor for your internal zones,
pointing at your internal pdns-auth
4. Run a separate instance of pdns-auth with your external zones (i.e.
the ones which your NS records point at)
Note that even with this setup, your clients will need to point to one
IP address (the pdns-recursor server), and your NS records will need to
point to a different IP address (the pdns-auth server with the
externally visible zones). So you will need to renumber one or the other.
If you really, really, really want to have a single IP address that
performs both functions, then you will indeed need to put dnsdist on
that address. But I would strongly advise against it; it's too many
moving parts. Either just renumber your recursor IP (maybe you can give
the new address to all your clients using DHCP), or renumber your
external auth nameserver (which just means changing the A record for
your nameserver, and possibly glue records).
PowerDNS is designed for use in large-scale ISP operations, where it is
best practice to separate recursor and authoritative services and run
them on different IP addresses.
But for DNS-Records that I want to have for internal AND external
clients, I would need to create them in both PowerDNS-instances.
To me, the risk seems too high, that by accident, DNS-Records are only
created/updated on one PowerDNS-Instance, but not on the other.
That is one of the (several) risks associated with split DNS, yes.
Regards,
Brian.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
