Re: [Pdns-users] Recursor / pdns installation help
Hello Patrick, Each of my dns servers runs pdns and each has a slave copy of the master pdns mysql database and in turn each server looks up the dns locally via mysql. This has been working great for 2 years. The problem each server is running pdns which has a DOS vulnerability. which is why I am upgrading to implement recursor. n...@mydomain.com http://mydomain.com - on server 1 n...@mydomain.com http://mydomain.com - on server 2 n...@mydomain.com http://mydomain.com - on server 3 n...@mydomain.com mailto:n...@mydomain.com - on server 4 Sounds like you are trying to solve this problem the wrong way. A recursor can not act as an authoritive server for a domain, when serving domains, you need an authoritive servers like pdns (for example: bind may combine the 2 functions into one server, but it can also by default not be authoritive for domains it does not have the data for). If you are worried about mysql being to slow to handle a DOS attack, you should eliminate the database on (some of) the public servers 1. you should use something like the bind-zone file backend (files on disk, instead of database) on those servers, that should be the fastest 2. those servers would be slave servers, the server with the database is the master server I thought I could recommend superslave operation where new domains are automatically recognised and added, but it seems like that is not supported on the file backend. Bert: it looks like the option exists in the code, but it is not in the documentation on http://doc.powerdns.com/ ?: supermaster-config: Location of (part of) named.conf where pdns can write zone-statements to supermasters: List of IP-addresses of supermasters supermaster-destdir: Destination directory for newly added slave zones PS with superslaves, domains are not deleted, you should create a script for that. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor / pdns installation help
Leen, Hopefully a few last questions and I will attempt to keep it brief. I am just having confusion on how to get the recursor servers to lookup from pdns with my configuration. I get that being authoritative for a domain will initiate a lookup to the defined dns server. How do I get a lookup and not expose the pdns software to the net and get the answers through recursor. Currently this is my setup: Each of my dns servers runs pdns and each has a slave copy of the master pdns mysql database and in turn each server looks up the dns locally via mysql. This has been working great for 2 years. The problem each server is running pdns which has a DOS vulnerability. which is why I am upgrading to implement recursor. ns1@mydomain.com - on server 1 n...@mydomain.com - on server 2 n...@mydomain.com - on server 3 n...@mydomain.com - on server 4 Also for testing I have ns5 setup on a new server running both pdns(5300) and recursor (53). The pdns software from my research and security testing still has the DOS issue. So when recursor is on ns5 responding to port 53 requests it passes the security testing. New Setup question: My plan is to install recursor on each of the ns1,ns2,ns3, and ns4 servers and then install pdns onto the fifth server (currently ns5). Should pdns on each be responding to port 53 requests only from ns1-4 on port 53? In doing this then I only have one databases connection supporting the ns1-4 servers and now do not need the mysql slaves on each server. Currently all my hosting domains are pointing to ns1-4. So does each server ns1-4 need a forward definition to lookup on the ns5 pdns server to get the authoritative response? I was hoping to keep the data local to each server. Since I set it up originally this way the dns servers have been running great. I am attempting to avoid a single point of failure with my setup. Thanks in advance. Like I said previously I think I am just missing a piece of the pie to get it all together. Patrick On Dec 22, 2010, at 3:00 AM, pdns-users-requ...@mailman.powerdns.com wrote: From: Leen Besselink l...@consolejunkie.net Subject: Re: [Pdns-users] Recursor / pdns installation help To: pdns-users@mailman.powerdns.com Message-ID: 4d1145f4.1080...@consolejunkie.net Content-Type: text/plain; charset=ISO-8859-1 On 12/21/2010 09:09 PM, Patrick Coffin wrote: Leen, Thanks for the reply. We are hosting 1000's of dns records so entering them in the forwards is not at option. I will take your advise to split the pdns and recursor to separate servers. Should I expect that if I move the pdns to a separate server that the looks up will work correctly with the information I have given? I would move pdns back to port 53 and keep it connected to mysql for lookups. I would like it to be setup that recursor queries the pdns server and database if we are authoritative for the domain. Otherwise recursor should looks to the authoritative server for the answer. If the pdns server is authoritive for the domain, every recursor in the world will look at your pdns server when it want to ask about that domain. Because the root and TLD will point them to your pdns server. Thus so will your own recursor. I suggest you set up a few domains in your recursor to point to your pdns for the domains. The few domains you use internally (don't forget your reverse DNS blocks). Just in case you lose connectivity to the outside world and the external root/TLD-servers can't be reached. Is there another resource that I can reference for this setup? I believe I am just missing one or two pieces to get it working properly. Well, I hope the above makes sense to you. Atleast if that is the setup you want then it should not need any other configuration then what I mentioned above. I appreciate the help! Thanks, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor / pdns installation help
On 12/21/2010 03:03 AM, Patrick Coffin wrote: Hi, This is the first time posting to this board. If I am posting to the wrong list, sorry, and please advise where I should post this request for assistance. We are setting up a new installation of pdns and recursor. We have been running pdns for a couple years without issue. I am attempting to implement recursor and pdns to avoid a potential DOS attack and pass security compliance, which under the current version I am running will not pass. Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5 environment. Each with their own mysql slave db. Al l works great except for the DOS issue. I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a Centos 5.5 box and I now pass security compliance, but am not getting the expected responses on DNS queries. I setup recursor to respond on port 53 and pdns to respond on 5300. recursor.conf entries # forward-zones= forward-zones=x.x.x.x:5300 Hi, I'm not quiet sure what you are trying to do, but I think forward-zones needs 1 or more domainnames: http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS If it is just a few (or just the important) domains, that would work. If it is an ever changing 1000's. Then this is not what you are looking for. If security is your concern, it is normally not recommended to mix your recursor with your authoritive nameserver on the same IP-address anyway. So I suggest you don't. But if you really want to, you can have pdns check the database first before trying to resolve the request recursively, in that case you swap them around (pdns on port 53 and pdns-recursor on port 5300) and use these setting: recursor= allow-recursion= http://doc.powerdns.com/all-settings.html Hope that helps. Have a nice day, Leen. local-port=53 pdns.conf entries local-address=x.x.x.x local-port=5300 If I query on a domain using dig I get the following error. dig mytestdomain.com http://mytestdomain.com @ns5 -- ; DiG 9.6.0-APPLE-P2 mytestdomain.com http://mytestdomain.com @ns5 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; mytestdomain.com http://mytestdomain.com.INA ;; Query time: 6 msec ;; SERVER: 209.3.87.44#53(209.3.87.44) ;; WHEN: Mon Dec 20 17:55:34 2010 ;; MSG SIZE rcvd: 28 -- logs output - Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Resolved 'mytestdomain.com.' NS ns5.mydomain. to: xx.xx.xx.xx Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Trying IP xx.xx.xx.xx:53, asking 'mytestdomain.com.|A' Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from packet cache from xx.xx.xx.xx Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Got 0 answers from ns5.mydomain.net. (xx.xx.xx.xx), rcode=0, in 3ms Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: determining status after receiving this packet Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: status=noerror, other types may exist, but we are done Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Starting additional processing Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Done with additional processing Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question 'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from packet cache from xx.xx.xx.xx It looks as if it is trying the local dns server on 53, but it is not getting a reply. Also I do not see any queries hitting the database. If any additional information is needed, LMK Any help would be appreciated. Thanks, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor / pdns installation help
On 12/21/2010 09:09 PM, Patrick Coffin wrote: Leen, Thanks for the reply. We are hosting 1000's of dns records so entering them in the forwards is not at option. I will take your advise to split the pdns and recursor to separate servers. Should I expect that if I move the pdns to a separate server that the looks up will work correctly with the information I have given? I would move pdns back to port 53 and keep it connected to mysql for lookups. I would like it to be setup that recursor queries the pdns server and database if we are authoritative for the domain. Otherwise recursor should looks to the authoritative server for the answer. If the pdns server is authoritive for the domain, every recursor in the world will look at your pdns server when it want to ask about that domain. Because the root and TLD will point them to your pdns server. Thus so will your own recursor. I suggest you set up a few domains in your recursor to point to your pdns for the domains. The few domains you use internally (don't forget your reverse DNS blocks). Just in case you lose connectivity to the outside world and the external root/TLD-servers can't be reached. Is there another resource that I can reference for this setup? I believe I am just missing one or two pieces to get it working properly. Well, I hope the above makes sense to you. Atleast if that is the setup you want then it should not need any other configuration then what I mentioned above. I appreciate the help! Thanks, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Recursor / pdns installation help
Hi, This is the first time posting to this board. If I am posting to the wrong list, sorry, and please advise where I should post this request for assistance. We are setting up a new installation of pdns and recursor. We have been running pdns for a couple years without issue. I am attempting to implement recursor and pdns to avoid a potential DOS attack and pass security compliance, which under the current version I am running will not pass. Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5 environment. Each with their own mysql slave db. Al l works great except for the DOS issue. I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a Centos 5.5 box and I now pass security compliance, but am not getting the expected responses on DNS queries. I setup recursor to respond on port 53 and pdns to respond on 5300. recursor.conf entries # forward-zones= forward-zones=x.x.x.x:5300 local-port=53 pdns.conf entries local-address=x.x.x.x local-port=5300 If I query on a domain using dig I get the following error. dig mytestdomain.com @ns5 -- ; DiG 9.6.0-APPLE-P2 mytestdomain.com @ns5 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; mytestdomain.com. IN A ;; Query time: 6 msec ;; SERVER: 209.3.87.44#53(209.3.87.44) ;; WHEN: Mon Dec 20 17:55:34 2010 ;; MSG SIZE rcvd: 28 -- logs output - Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: Resolved 'mytestdomain.com.' NS ns5.mydomain. to: xx.xx.xx.xx Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: Trying IP xx.xx.xx.xx:53, asking 'mytestdomain.com.|A' Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from packet cache from xx.xx.xx.xx Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: Got 0 answers from ns5.mydomain.net. (xx.xx.xx.xx), rcode=0, in 3ms Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: determining status after receiving this packet Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: status=noerror, other types may exist, but we are done Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: Starting additional processing Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com.: Done with additional processing Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question 'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from packet cache from xx.xx.xx.xx It looks as if it is trying the local dns server on 53, but it is not getting a reply. Also I do not see any queries hitting the database. If any additional information is needed, LMK Any help would be appreciated. Thanks, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
