PowerDNS authoritative server with private zones?

Posted by loop_us@reddit | linuxadmin | View on Reddit | 11 comments

Hi r/linuxadmin,

I'm trying to migrate from Bind9 to PowerDNS and I have trouble finding an option to implement private (only for my company's IPs) resolvable domains on an authoritative PowerDNS server. My setup looks something like this:

---- Public Zone ----------

+-----------+
| pdns auth | <- Everyone can query
| secondary | <---------------------+
+-----------+                       |
                                  AXFR
---- Company Zone ---------         |
                                    |
        +---------------+           |
        | pdns recursor | <- My users and customers can query
        +---------------+           |
                                    |
---- Private Zone ---------         | 
                                    |
+-----------+                       |
| pdns auth |-----------------------+
| primary   | <- No one can query
+-----------+

There is a hidden primary that holds all public and private domains and sends them to the secondary via AXFR. Everyone can query the secondary for the public zones. The recursor works as a resolver for my users and our customers. If for example one of my users queries the recursor for one of our domains, then the recursor makes a recursive query beginning with the root nameservers, until it get't it's answer from the secondary in the public zone.

What I want to setup is, that the secondary hold it's public zones and private sub-zones, which can only be queried by the recursor and internal IPs. With Bind9 this setup would look like this:

# declare ACL with company IPs
acl "company" { 198.51.100.0 /24; 203.0.113.0 /24; };
# In this example we hold example.com
zone "example.com" { type slave; file "db.example.com"; masters { "primary"; }; allow-query { any; }; };
# Add pritvate sub-zone
zone "private.example.com" { type slave; file "db.private.example.com"; masters { "primary"; }; allow-query { "company"; }; };

The PowerDNS documentation points to these examples:

Authoritative Server as Recursor with private zones

This example laks any ACL feature, which is needed to differentiative the source IPs to allow/disallow a query for a private zone.
It assumes I want a resolver on an authoritative server, which I do not.

Authoritative Server as Recursor for clients and serving public domains

This example uses dnsdist to make ACLs based on the source IP, which goes in the right direction.
But it still implements a resolver, which again is not needed.
It requires that you add every authoritative zone by hand to the recursor config, which takes away every advantage that I get from migrating to PowerDNS.

Do any of you have any ideas on how I can make this work?

[-]

chronop@reddit

in my org we have one database instance, but 2 different databases (pdns_internal and pdns_external for example) and we have separate pdns services for each (just give each the correct db info) with dnsdist in front. not saying its the most elegant solution but it has worked for us and the separation has made some stuff easier regarding preventing abuse, scaling, etc.

[-]

loop_us@reddit (OP)

Looking at the replies here, I think that's exactly what it's going to come down to. Or rather a separate authoritative name server only for the internal zones.

[-]

loop_us@reddit (OP)

Hi, it's me from the future. This is what you did - Create a second pdns auth primary in the private zone, which can only be queried by the recursor. Then you have to put in your public zone:

$ORIGIN company.io.
dev      IN    NS    auth2.company.io.

Pro Tip: if you make something like ad.company,io your Active Directory Domain and the NS records as shown, it will solve a lot of DNS pains you might have.

[-]

mrhobby@reddit

I started with running a recursor+dndist server in front with the rule of forward-zones=.=dnsdist-front-ip:port

Then in your dndist you'll have a rule for internal ips forwarded to your ro internal nameserver and then all other queries go to root/public recursor.

You have a combination of subnet level ACLs and also domain specific rules (aka company.com is public and private.company.com is private) I guess you can achieve that some nested dndist lbs for the ACL level and then recursor for the domain level rules.i.e everyone targets dnsdist first and then you have two recursors under it to dictate domain specific rules if needed

[-]

loop_us@reddit (OP)

But can dnsdist work on the secondary? Because it needs to allow queries for *.example.com for any and *.private.example.com from the recursor's IP only.

[-]

Amidatelion@reddit

dnsdist is just a DNS-aware load balancer. You can stick it in front of any of your servers.

[-]

loop_us@reddit (OP)

Sure thing. But the correct policies are the important part. And oh boy, the syntax of dnsdist is so horrible, it makes me appreciate nftables.

[-]

SuperQue@reddit

Maybe try CoreDNS. It has several plugins that can be chained to do what you want. acls, views, etc.

[-]

loop_us@reddit (OP)

I have already committed to PowerDNS because of its SQL backend. This makes managing our 1000+ domains way easier than text files and the Web GUI will make the developers happy.

Since CoreDNS just uses Bind9 syntax with Bind9 zonefiles, I might as well stay with the current environment.

[-]

SuperQue@reddit

https://coredns.io/explugins/pdsql/

[-]

kiboflavin@reddit

Check out https://dnsdist.org/, it sits as a dns proxy server in front of powerdns that can provide the acl capabilities you need.