# how to best run a master and recursive DNS on same box?



## Chris_H (Jul 14, 2018)

This question _really_ feels like it belongs in the Network fourm. But the description for Services indicates it belongs here. So here goes...

OK I've run a single DNS to provide recursive queries for all the local servers. Which are all DNS Masters/SOA's for a multitude of domains. But traffic is increasing to the point that I'm going to need to start setting up 2 instances of DNS on several of the servers. As I contemplate the situation, and the available DNS software, I'm not sure of the best option/combination.
While both dns/bind, and dns/powerdns essentially provide recursive/nonrecursive together. I'm not real keen on either of them. Mostly because they're too big and attempt to be the be-all-to-end-all. I'm using dns/knot for all the master/nonrecursive servers, and would really like to stick to that. But, while knot also has a recurser, I'm not quite sure how to setup both a recurser that answers (recursively) for the servers they run on, while also being authoritive-only for the domains they serve.
*TOPOLOGY*
All the boxes NIC's are internet facing (have internet routable IP's) and are all connected upstream through an unmanaged switch.
Anyone care to chime in with their own brilliant suggestions, or experiences? 

Thanks!

--Chris


----------



## ShelLuser (Jul 14, 2018)

What traffic is increasing though? Outgoing or incoming?

I also don't quite understand why you'd separate all the several domains across different servers to be honest. Same for the topology: so all the DNS servers have direct access to the Internet yet despite that they're still instructed to use a local dedicated DNS server for their own queries? (this is also what's making me wonder what kind of traffic we're talking about).

The topology sounds rather inefficient to me to be honest.

As to your question...  I would probably change the topology into something more manageable and try to centralize the DNS traffic, optionally spread it across two or three instances if needed. There is a reason why DNS tends to be cached afterall. I'd also rely on dns/bind912 simply because I know that it can handle higher amounts of traffic quite well, something I can't always say for "alternative" DNS servers as I like to call them.


----------



## Chris_H (Jul 14, 2018)

Thanks for the reply, ShelLuser !
Sorry. I'm afraid that was a horribly written question. It was late, and I was pretty tired.
Let me try that again;
At any given time, I have ~6-8 (DNS) servers.
They're attached to the internet, as follows:
server00 ==>
server01 ==>
server02 ==> switch ==> internet
server03 ==>
server04 ==>
server ...
All told; they are SOA for ~60 domains (not including all the host(names) attached to those domains).
Each a subset of those collective domains.
_technically_ to my question. none of that matters. buyt there it is. 
One of those servers provides _recursive_ queries _only_ to the other (local) servers (as needed) via ACL.
_technically_ speaking, the topology is *in*efficient. But given the environment I'm forced to work in. The only other option I can imagine would burn another IP, or create (at least) another HOP.


> What traffic is increasing though? Outgoing or incoming?


By that; I meant the _recurser_ is being saturated to the point that it throws NXDOMAIN _incorrectly_
that is; given the same query again; it'll give a domain (host) name. I think I need (at least) another recurser.
NOW. The real question:
_How_ can I run _both_ an authorative, _and_ a recurser on the same box?
I don't like the bind/named. Nor am I excited about powerdns.
Technically. I can simply spin up a copy of dns/knot2 && a copy of knot2 recurser. But how will recursive queries know how to reach the (local) recurser. As I can't run both on the same port?

Thanks! I hope I was a bit clearer this time. 

--Chris


----------



## rootbert (Jul 14, 2018)

not a brilliant suggestion, but works for me: I use powerdns as a master and nsd as secondary, as a resolver I use unbound. Setup is on some hardware more or less the same: using jails and pf, using 2 ip-addresses seems a fine solution. If you can only have one ip-address its of course not so elegant.


----------



## rigoletto@ (Jul 14, 2018)

You can put them in jails, eventually using VNET(9) and/or link-aggregation, and then use dns/nsd in a MASTER/SLAVE fashion, plus dns/unbound (from ports to use devel/libevent) as resolver. See HERE and HERE.


----------



## Chris_H (Jul 16, 2018)

rootbert 
Thanks for taking the time to reply! While your suggestion would work. I noted already that I not keen on using
either dns/powerdns , or dns/bind;
*powerdns* : bloatware - has way too many options that have little to do with serving, or fetching (domain) names.
*named/bind* : also a little "bloaty" but mostly, because it has a sketchy security track record.
But thank you for trying! 

lebarondemerde 
Thank you for the links, and response!
Aside from jail(8)'s , vnet(9) , and perhaps devel/libevent. Everything points to _authoritative_ servers, and Linux.
I have no trouble setting up, and running authoritative, and recursive servers -- I'm already doing that now. What I _really_ need, is to be able to do _both_ on the _same box_.
Have I missed something?
Thanks again, for taking the time to respond, lebarondemerde !

Maybe this simply isn't possible without using some Bloaty, or Dangerous implementation DNS. 

--Chris


----------



## VladiBG (Jul 16, 2018)

Your DNS infrastructure is wrong. Insted of trying to run both on the same box you should Disable recursion on authoritative servers!

It's better to have 2 HA master DNS servers that are isolated behind the firewall and not accessible from the internet and all other DNS servers to be slave DNS to provide load balance and caching.
Here's some example of the DNS topology

https://insights.sei.cmu.edu/sei_bl...st-domain-name-system-dns-infrastructure.html
https://www.pacnog.org/pacnog18/presentations/dns-best-practices.pdf


----------



## Chris_H (Jul 16, 2018)

Hello, VladiBG ! Thanks for the reply! 
OK I must have asked this question really poorly. 
The DNS servers I mentioned, are all Authoritative for their domain, as well as additional domains.
They all have a single Internet routable IP attached to each NIC in the respective boxes. Save one, which has 2 NICS, and has 2 internet routable IP's - one each to each (ethernet) port.
Each of these servers are attached to a (16 port) Switch. Which is, in turn attached to my upstream link.
These servers are protected, as are the additional services they provide ( mail / www ) by pf(4). In fact, the _recursive_ DNS manages the (pf) tables. So (at least) because these Authoritative servers also provide other services that require _external_ (domain) names / hosts. A (local) recurser is desired. My recent commitment to become a Perl (CPAN) mirror. Has necessitated a more robust recursive solution. While I could place all the DNS inside jail(8)'s. I'm not sure the advantage(s), save additional security. But their all setup very securely, and run quite well -- even if under attack.
Why is a Local only, secured recurser on the same box so frowned upon?
In my (current) situation, it just makes sense.

Thanks for sharing the links, and information, VladiBG , and taking the time to respond!

--Chris

P.S. The recurser manages several (pf) tables totaling almost 30 million (abusive source) addresses.


----------



## VladiBG (Jul 16, 2018)

The master DNS servers should serve only one role without any other services on them like (mail/www). If you are using virtual machines for them be sure that both machines are hosted on two separate hyper-visors.


```
Master DNS server | ----> Private Network --> Router with Firewall (IPFW/PF)---> Internet
Update DNS server |                                        |               
                                                           |
                                                         (DMZ)
                                                           |
                                                    Slave DNS Server Farm
                                                    mail server 
                                                    www server
```


----------



## rootbert (Jul 16, 2018)

Just to mention: in my solution I use nsd for the public IP, accepting requests and powerdns only for internal administration/editing of the zones. I don't like powerdns neither, but I really like the vim-based editor with syntax check. Of course you could use knot, nsd or any other dns server as primary (in my config the primary server which is the only one being able to edit dns zones is in a private net not being able to communicate with anything else than the secondary servers)


----------



## SirDice (Jul 16, 2018)

You can create your DNS servers to be both authoritative and recursive but you must split these up in different views. The internal view can be recursive the 'external' view only serves the authoritative domains and is only accessible from the internet. 

The reason why you should split up recursive and authoritative is this: https://www.tripwire.com/state-of-s...n-protecting-unrestricted-open-dns-resolvers/
The gist of the article is that you should _never_ allow recursive requests from the internet.


----------



## Chris_H (Jul 16, 2018)

Thanks SirDice for the reply!
Yep. Know all about DNS (amplification) attacks. Just another reason to not use the bind/named/ISC bind. 
I've managed a separate _recursive_ DNS to serve local requests for the other Authoritative servers, for some 30 years, and then by email, as it was done before that. I'm keen on the (potential) hazards.
I'm really just interested in how one can run a *separate* recurser along side (on same box) an Authoritative DNS. When the DNS typically uses the same port (udp|tcp 53 (domain)).


> The gist of the article is that you should _never_ allow recursive requests from the internet.


I'll only serving recursive requests from *local* servers. 

Thanks again, SirDice !


----------



## SirDice (Jul 17, 2018)

Chris_H said:


> Yep. Know all about DNS (amplification) attacks. Just another reason to not use the bind/named/ISC bind.


This is not limited to BIND, other DNS services can be abused in exactly the same way. It's all about configuration.


----------

