SFEpdns SFEpdns-recursor SFEdnsdist

  • Posted on: 2 January 2024
  • By: tomww

PowerDNS follows a different approach for storing and serving Authoritative DNS Zones.
PowerDNS Recursor is able to recursively resolve DNS queries
dnsdist is kind of a load balance and redirector, making decisions based on simple LUA script snippets
All three together can serve small to large setups. Amazing powerful command line management that is able to setup DNSSEC easily and make your daily task a blink.
e.g. pdnsutil add-record example.com www A 192.168.1.2
(see https://makarainen.net/PowerDNS-pdnsutil-cheat-sheet)

In my setup there was old BIND working, both as an authoritative DNS Server and as recursive resolver for local client computer.
To replace this with PowerDNS there is some configuration work necessary. Special question was, how to allow or disallow recursive DNS queries.

This article collects tipps and sample configration similar to the setup I use.

Task 1): Replace BIND in a setup with autoritative domains and local clients
TBD (please ping me if you are in a hurry for that section!)

Task 2): One of the entries in the local authoritative Zone points to a HTTP/HTTPS loadbalancer. This is fine for visitors from outside, as they get back the fixed public IP in the query.
But for local clients, I want to avoid the hazzle to have "local"-computer-client traffic towards the loadbalancer going through the firewall - as the public IPs are sitting on the outside net. Therefore dnsdist could on one hand serve the public IP for the outside clients and if the qeury is originating on the local LAN, then serve the local / internal IP which is sitting on the lan.

Solution; Replace the IP served to the public by the authoritative Zone in case the client initiating the query is in the local LAN wehre the loadbalancer itself is.
dnsdist.conf

--refer to all the local LAN IP network address ranges:
customerACLs={"172.16.0.0/12", "192.168.0.0/16", "10.0.0.0/8", "212.213.214.0/20"}
--if the query matches RegexRule, then answer back the local network IP - note: DNS_Zone example.com would only contain public IP for loadbalancer
addAction(AndRule({makeRule(customerACLs), RegexRule("loadbalancer01.example.com")}), SpoofAction("192.168.1.57"))
addAction(AndRule({makeRule(customerACLs), RegexRule("loadbalancer02-via-other-gateway.example.com")}), SpoofAction("192.168.1.57"))

More configuration examples will be added soon.
Switching from BIND to PowerDNS is possible, though the first steps might be a bit of work an reading. But be honest, with bind it took also some time to learn it.