Note that even with this setup, your clients will need to point to one IP address (the pdns-recursor server), and your NS records will need to point to a different IP address (the pdns-auth server with the externally visible zones). So you will need to renumber one or the other.
That would be fine for me. I also don't need both instances to have the same IP-Adress.
About the "3. Set up forwarding rules on pdns-recursor for your internal zones, pointing at your internal pdns-auth":
When I have stuff like:
foo.example.com IN A 127.0.0.1 (internal only)
bar.example.com IN A 99.99.99.99 (internal and external)
Then that's the same zone. And I have hundrets of those DNS-Records that need to be accessible in both "views", as well as hundrets that are internal-only.
I agree, it would have been better to use completely different zones for internal and external stuff in the beginning, but sadly I have to deal with the current setup.
When I have stuff like:
foo.example.com IN A 127.0.0.1 (internal only)
bar.example.com IN A 99.99.99.99 (internal and external)
Then that's the same zone. And I have hundrets of those DNS-Records that need to be accessible in both "views", as well as hundrets that are internal-only.
I agree, it would have been better to use completely different zones for internal and external stuff in the beginning, but sadly I have to deal with the current setup.
Would I now have to make forwarding-rules for every of those records in pwns-recursor?
Like: When foo.example.com is requested, then ask internal-pwdns-auth, when bar.example.com is requested, then ask external-pdns-auth.
Because then I would need to duplicate all internal DNS-Records in the recursor as well as define them in the internal-pdns-auth. So I end up with two places to configure again, which brings the same downsides.
Like: When foo.example.com is requested, then ask internal-pwdns-auth, when bar.example.com is requested, then ask external-pdns-auth.
Because then I would need to duplicate all internal DNS-Records in the recursor as well as define them in the internal-pdns-auth. So I end up with two places to configure again, which brings the same downsides.
3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients
Thanks a lot for that hint, I will look into that.
I guess you are talking about this bit here? https://doc.powerdns.com/recursor/lua-config/index.html
So I would need to write some lua-code that gets executed before the response is being returned, and in case the response is a NXDOMAIN, I make a new lookup towards the external-pdns-auth server and return whatever that one returns?
I guess you are talking about this bit here? https://doc.powerdns.com/recursor/lua-config/index.html
So I would need to write some lua-code that gets executed before the response is being returned, and in case the response is a NXDOMAIN, I make a new lookup towards the external-pdns-auth server and return whatever that one returns?
Cheers
Sebastian
Sebastian
Gesendet: Mittwoch, 15. November 2023 um 17:53 Uhr
Von: "Kevin P. Fleming via Pdns-users" <pdns-users@mailman.powerdns.com>
An: "Pdns-users" <pdns-users@mailman.powerdns.com>
Cc: "Kevin P. Fleming" <lists.pdns-us...@kevin.km6g.us>
Betreff: Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
Von: "Kevin P. Fleming via Pdns-users" <pdns-users@mailman.powerdns.com>
An: "Pdns-users" <pdns-users@mailman.powerdns.com>
Cc: "Kevin P. Fleming" <lists.pdns-us...@kevin.km6g.us>
Betreff: Re: [Pdns-users] Share DNS-Records between two zones/views (internal & external)
On Wed, Nov 15, 2023, at 11:05, Brian Candler via Pdns-users wrote:
On 15/11/2023 14:53, sebastian-n-95--- via Pdns-users wrote:Hey,I am considering migrating my current BIND-Based setup to PowerDNS.For multiple zones, I currently have split-view in bind, so that I can define DNS-Records available only for internal clients.To achieve this, I have the following zonefiles:mydomain.com.ext.zone <- This zonefile is used for the external viewmydomain.com.int.zone <- This zonesfile is used for the internal viewBut I also have:mydomain.com.include <- This file is included in both zonefiles, so records defined there are available in both zones.I was wondering, how I could replicate a setup like this in PowerDNS.BIND combines the roles of authoritative server and recursor; PowerDNS has separate programs (pdns and pdns-recursor)
Split views are IMO a bad idea anyway, but if you wanted to do it you would need to do something like this:
1. Run pdns-recursor for your internal clients to use2. Run an instance of pdns-auth with your internal zones
There is another option to consider:
1. Run pdns-recursor for your internal clients to use
1. Run pdns-recursor for your internal clients to use
2. Run pdns-auth for the external view of the zones
3. Install a Response Policy Zone (RPZ) in the recursor to *override* the results provided by the auth for queries from internal clients
Those overrides can add new records, hide existing records, or replace records with alternative answers.
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
