Hi;
I have two questions.
1. If dnsdist is similar to (http reverse) proxy, and If dnsdist is accessible
on public internet.
Is this sample config correct for an authoritative dns?
setLocal("any") -------------> client from public internet
newServer("192.168.0.10") ---> back-end 1
newServer("192.168.0.11") ---> back-end 2
2. Can dnsdist work on "stealth-dmz" BIND dns, where "named.conf" has access
rules with multiple configured zone for recursion
and no recursion.
----- Original Message -----
From: [email protected]
To: "dnsdist" <[email protected]>
Sent: Thursday, January 23, 2020 8:00:02 PM
Subject: dnsdist Digest, Vol 53, Issue 6
Send dnsdist mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.powerdns.com/mailman/listinfo/dnsdist
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dnsdist digest..."
Today's Topics:
1. DNS use cases as authoritative dns server facing public
internet ([email protected])
2. Re: DNS use cases as authoritative dns server facing public
internet (Jacob Bunk Nielsen)
3. Re: DNS use cases as authoritative dns server facing public
internet (Andreas Danzer)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Jan 2020 11:16:14 +0800 (PST)
From: [email protected]
To: [email protected]
Subject: [dnsdist] DNS use cases as authoritative dns server facing
public internet
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"
Hi;
I have a question regarding the posture of dnsdist as authoritative dns server
facing public internet.
How will be the design if you would put the dnsdist (load balancer) infront the
origin DNS servers?
I have two (2) internet facing authoritative DNS translated from my firewall.
Can I also do NAT on dnsdist
while the origin dns servers will be on private IP address?
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/06eed7ee/attachment-0001.htm>
------------------------------
Message: 2
Date: Thu, 23 Jan 2020 09:18:36 +0100
From: Jacob Bunk Nielsen <[email protected]>
To: [email protected]
Subject: Re: [dnsdist] DNS use cases as authoritative dns server
facing public internet
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hi
On 23/01/2020 04.16, [email protected] wrote:
> I have a question regarding the posture of dnsdist as authoritative
> dns server facing public internet.
> How will be the design if you would put the dnsdist (load balancer)
> infront the origin DNS servers?
> I have two (2) internet facing authoritative DNS translated from my
> firewall. Can I also do NAT on dnsdist
> while the origin dns servers will be on private IP address?
Short answer, yes.
Slightly longer answer, think of dnsdist more as a caching proxy/load
balancer than as a router. So you'd set up dnsdist to listen for
incoming queries and let dnsdist distribute the queries among backend
servers depending on your preferred load balancing scheme. See also
https://dnsdist.org/guides/serverselection.html
For redundancy you'll probably also want at least 2 dnsdist instances
that can then sit in front of however many backends is required to
handle the load.
Best regards,
Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200123/c9b1506b/attachment-0001.htm>
------------------------------
Message: 3
Date: Thu, 23 Jan 2020 11:07:24 +0100
From: Andreas Danzer <[email protected]>
To: [email protected]
Subject: Re: [dnsdist] DNS use cases as authoritative dns server
facing public internet
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
Hi,
> I have a question regarding the posture of dnsdist as authoritative dns
> server facing public internet.
> How will be the design if you would put the dnsdist (load balancer)
> infront the origin DNS servers?
> I have two (2) internet facing authoritative DNS translated from my
> firewall. Can I also do NAT on dnsdist
> while the origin dns servers will be on private IP address?
our authoriative nameservers are built with dnsdist as loadbalancer in
front of several powerdns-servers. Some of those backend servers are
running on private RFC1918 IP addresses, with only dnsdist having a
global routeable IP. Dnsdist also serves as some sort of dns firewall
with rate-limiting and special handling of some request types (e.g.
ANY). We also use it to handle incoming/outgoing AXFR/IXFR requests and
notifications for customers based on an extra database and a hidden dns.
Think of dnsdist as the swiss army knife for DNS. ;-)
Regards,
A. Danzer
------------------------------
Subject: Digest Footer
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
------------------------------
End of dnsdist Digest, Vol 53, Issue 6
**************************************
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
