On 07/03/2018 06:46 AM, Chris Hofstaedtler wrote: >> On 02.07.2018, at 19:25, Steven Spencer <[email protected]> wrote: > [..] >> As long as the recursor does return the correct information (as ours did) >> can we assume that things are working? Is there a good way to make sure that >> the authoritative server is properly configured before an actual go-live? >> (testing methodology) > You can use the “Pre-delegated zone check” on https://zonemaster.iis.se (or > any other public zonemaster installation) to check your new auth (possibly on > a different IP for testing purposes). > > To some degree it sounds you’re not absolutely sure that all your recursive > traffic is indeed sent to your PowerDNS Recursors. I’d suggest running > tcpdump on your existing PowerDNS Authoritative Servers to verify that they > only receive traffic from Recursors, and not from your internal devices. > > C > Chris,
Thanks for the response. Actually I'm nearly positive that the recursors and authoritative servers were doing exactly as they were supposed to during our go-live attempt, I just wasn't prepared for the results. What we need now is a way to redirect the appropriate traffic (recursors for resolution) from our local network and ARIN IP block. I received a possible solution using iptables that would eliminate an organization wide change of local dns servers on machines and equipment and would instead redirect that traffic to the appropriate server. Still evaluating that, but I think that is where we are at the moment. Thanks for your response! -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
