That may be true for a SOHO environment. But for a corporate network with numerous firewalls, my option is that firewalls should be firewalls. Tagging core services into a security appliance is not the right solution for DNS servers that manage to cache different results.
I like Otto's suggestion of dnsdist. As it puts the onus on the design of the DNS servers to ensure that all clients end up resolving the same records. On 17 Sept 2022, 19:24, at 19:24, Oscar Zovo <oscar.z...@gmail.com> wrote: >If you are applying a firewall rule based on hostname, it makes sense >that >the firewall should be the one providing DNS recursive service to the >DNS >clients or to the downstream DNS caching servers, or you should resort >to >URL filtering. > > >Best Regards, >Óscar Zovo. > >A sábado, 17/09/2022, 01:01, Djerk Geurts via Pdns-users < >pdns-users@mailman.powerdns.com> escreveu: > >> Just ran into an issue with recursive DNS servers where the two >servers >> have cached a different A record for mirror.centos.org. >> >> This is a problem as the firewalls permit access to the FQDN, which >> presumes that both the client and the firewall end up with the same A >> record for the domain. >> >> I'm intending to swap these recursors out with PowerDNS servers, but >am >> wondering if there's a way to keep the record cache in sync between >> multiple recursors. >> >> -- >> Best regards, >> *Djerk Geurts* >> m: +44-7535-674620 >> >> *Maizymoo Ltd* <https://maizymoo.com> >> VAT No: GB192 1529 07 >> Registration Number: 6638104 (registered in England and Wales) >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com >> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
