how to best run a master and recursive DNS on same box?

Chris_H

Chris_H

This question really feels like it belongs in the Network fourm. But the description for Services indicates it belongs here. So here goes...

OK I've run a single DNS to provide recursive queries for all the local servers. Which are all DNS Masters/SOA's for a multitude of domains. But traffic is increasing to the point that I'm going to need to start setting up 2 instances of DNS on several of the servers. As I contemplate the situation, and the available DNS software, I'm not sure of the best option/combination.
While both dns/bind, and dns/powerdns essentially provide recursive/nonrecursive together. I'm not real keen on either of them. Mostly because they're too big and attempt to be the be-all-to-end-all. I'm using dns/knot for all the master/nonrecursive servers, and would really like to stick to that. But, while knot also has a recurser, I'm not quite sure how to setup both a recurser that answers (recursively) for the servers they run on, while also being authoritive-only for the domains they serve.
TOPOLOGY
All the boxes NIC's are internet facing (have internet routable IP's) and are all connected upstream through an unmanaged switch.
Anyone care to chime in with their own brilliant suggestions, or experiences? :)

Thanks!

--Chris
 
What traffic is increasing though? Outgoing or incoming?

I also don't quite understand why you'd separate all the several domains across different servers to be honest. Same for the topology: so all the DNS servers have direct access to the Internet yet despite that they're still instructed to use a local dedicated DNS server for their own queries? (this is also what's making me wonder what kind of traffic we're talking about).

The topology sounds rather inefficient to me to be honest.

As to your question... I would probably change the topology into something more manageable and try to centralize the DNS traffic, optionally spread it across two or three instances if needed. There is a reason why DNS tends to be cached afterall. I'd also rely on dns/bind912 simply because I know that it can handle higher amounts of traffic quite well, something I can't always say for "alternative" DNS servers as I like to call them.
 
Thanks for the reply, ShelLuser !
Sorry. I'm afraid that was a horribly written question. It was late, and I was pretty tired.
Let me try that again;
At any given time, I have ~6-8 (DNS) servers.
They're attached to the internet, as follows:
server00 ==>
server01 ==>
server02 ==> switch ==> internet
server03 ==>
server04 ==>
server ...
All told; they are SOA for ~60 domains (not including all the host(names) attached to those domains).
Each a subset of those collective domains.
technically to my question. none of that matters. buyt there it is. :)
One of those servers provides recursive queries only to the other (local) servers (as needed) via ACL.
technically speaking, the topology is inefficient. But given the environment I'm forced to work in. The only other option I can imagine would burn another IP, or create (at least) another HOP.
What traffic is increasing though? Outgoing or incoming?
Click to expand...
By that; I meant the recurser is being saturated to the point that it throws NXDOMAIN incorrectly
that is; given the same query again; it'll give a domain (host) name. I think I need (at least) another recurser.
NOW. The real question:
How can I run both an authorative, and a recurser on the same box?
I don't like the bind/named. Nor am I excited about powerdns.
Technically. I can simply spin up a copy of dns/knot2 && a copy of knot2 recurser. But how will recursive queries know how to reach the (local) recurser. As I can't run both on the same port?

Thanks! I hope I was a bit clearer this time. :)

--Chris
 
not a brilliant suggestion, but works for me: I use powerdns as a master and nsd as secondary, as a resolver I use unbound. Setup is on some hardware more or less the same: using jails and pf, using 2 ip-addresses seems a fine solution. If you can only have one ip-address its of course not so elegant.
 
rootbert
Thanks for taking the time to reply! While your suggestion would work. I noted already that I not keen on using
either dns/powerdns , or dns/bind;
powerdns : bloatware - has way too many options that have little to do with serving, or fetching (domain) names.
named/bind : also a little "bloaty" but mostly, because it has a sketchy security track record.
But thank you for trying! :)

lebarondemerde
Thank you for the links, and response!
Aside from jail(8)'s , vnet(9) , and perhaps devel/libevent. Everything points to authoritative servers, and Linux.
I have no trouble setting up, and running authoritative, and recursive servers -- I'm already doing that now. What I really need, is to be able to do both on the same box.
Have I missed something?
Thanks again, for taking the time to respond, lebarondemerde !

Maybe this simply isn't possible without using some Bloaty, or Dangerous implementation DNS. :(

--Chris
 
Your DNS infrastructure is wrong. Insted of trying to run both on the same box you should Disable recursion on authoritative servers!

It's better to have 2 HA master DNS servers that are isolated behind the firewall and not accessible from the internet and all other DNS servers to be slave DNS to provide load balance and caching.
Here's some example of the DNS topology

https://insights.sei.cmu.edu/sei_bl...st-domain-name-system-dns-infrastructure.html
https://www.pacnog.org/pacnog18/presentations/dns-best-practices.pdf
 
Hello, VladiBG ! Thanks for the reply! :)
OK I must have asked this question really poorly. :(
The DNS servers I mentioned, are all Authoritative for their domain, as well as additional domains.
They all have a single Internet routable IP attached to each NIC in the respective boxes. Save one, which has 2 NICS, and has 2 internet routable IP's - one each to each (ethernet) port.
Each of these servers are attached to a (16 port) Switch. Which is, in turn attached to my upstream link.
These servers are protected, as are the additional services they provide ( mail / www ) by pf(4). In fact, the recursive DNS manages the (pf) tables. So (at least) because these Authoritative servers also provide other services that require external (domain) names / hosts. A (local) recurser is desired. My recent commitment to become a Perl (CPAN) mirror. Has necessitated a more robust recursive solution. While I could place all the DNS inside jail(8)'s. I'm not sure the advantage(s), save additional security. But their all setup very securely, and run quite well -- even if under attack.
Why is a Local only, secured recurser on the same box so frowned upon?
In my (current) situation, it just makes sense.

Thanks for sharing the links, and information, VladiBG , and taking the time to respond!

--Chris

P.S. The recurser manages several (pf) tables totaling almost 30 million (abusive source) addresses.
 
The master DNS servers should serve only one role without any other services on them like (mail/www). If you are using virtual machines for them be sure that both machines are hosted on two separate hyper-visors.

Code: 
Master DNS server | ----> Private Network --> Router with Firewall (IPFW/PF)---> Internet
Update DNS server |                                        |               
                                                           |
                                                         (DMZ)
                                                           |
                                                    Slave DNS Server Farm
                                                    mail server 
                                                    www server
 
Just to mention: in my solution I use nsd for the public IP, accepting requests and powerdns only for internal administration/editing of the zones. I don't like powerdns neither, but I really like the vim-based editor with syntax check. Of course you could use knot, nsd or any other dns server as primary (in my config the primary server which is the only one being able to edit dns zones is in a private net not being able to communicate with anything else than the secondary servers)
 
You can create your DNS servers to be both authoritative and recursive but you must split these up in different views. The internal view can be recursive the 'external' view only serves the authoritative domains and is only accessible from the internet.

The reason why you should split up recursive and authoritative is this: https://www.tripwire.com/state-of-s...n-protecting-unrestricted-open-dns-resolvers/
The gist of the article is that you should never allow recursive requests from the internet.
 
Thanks SirDice for the reply!
Yep. Know all about DNS (amplification) attacks. Just another reason to not use the bind/named/ISC bind. :)
I've managed a separate recursive DNS to serve local requests for the other Authoritative servers, for some 30 years, and then by email, as it was done before that. I'm keen on the (potential) hazards.
I'm really just interested in how one can run a separate recurser along side (on same box) an Authoritative DNS. When the DNS typically uses the same port (udp|tcp 53 (domain)).
The gist of the article is that you should never allow recursive requests from the internet.
Click to expand...
I'll only serving recursive requests from local servers. :)

Thanks again, SirDice ! :)
 
Chris_H said:
Yep. Know all about DNS (amplification) attacks. Just another reason to not use the bind/named/ISC bind.
Click to expand...
This is not limited to BIND, other DNS services can be abused in exactly the same way. It's all about configuration.
 
You must log in or register to reply here.
Back
Top