22 Bře
2021
22 Bře
'21
8:41
Am 22.03.21 um 00:39 schrieb Chris:
On 2021-03-21 14:04, Alex JOST wrote:
I've been running resolvers (Unbound) for mail servers and office
clients for years, but they have all been restricted to specific IP
ranges. And I've been running authoritative DNS servers (Knot DNS) with
some TLDs accessible from the world.
The scenario I was thinking about is:
* Have some real world TLDs (example.com) NS entry point to server A
and server B
* Server A and B both have Knot DNS installed but listening on
localhost port 5053
* Server A and B both have Knot Resolver installed and listening on a
public IP port 53
* Queries for example.com are received by Knot Resolver and forwarded
to Knot DNS
* Any other queries are resolved and answered by Knot Resolver
* There are no access restrictions for specific IP ranges
My concerns are:
* Is it feasible to run such a setup? Are there any drawbacks?
* Is it possible to (more or less) safely run Knot Resolver as an
open resolver?
--
Alex JOST
Apologies if this has been asked before, but I
was unable to find
informative
resources about this topic except this[1].
What are the downsides of having a recursive DNS server in front of an
authoritative DNS Server? I'm wondering if all the points listed in
the linked
article are relevant for small scale installations.
Is anyone running such a setup and can share some advice with regards
to rate limiting?
There is *zero* concern for running your own recursive DNS, so
long as
*you* and ONLY you have access to it. It has the added advantage that YOU
get to determine who is authoritative for the root zone "." and others
you are concerned about. As it is likely for you now. All your clients
queries
are sent to your upstream (ISP?) for answers, for which you have no
control.
Using the knot recurser, and priming it against a known safe root authority
gives you the advantage of better control. Another advantage is that you
now have
the ability to create filters that block places you don't want to go, and
other such things. SO, in short; if you only grant queries from yourself
(think 127.0.0.1/localhost). There is little to no reason for concern
creating
a local recurser.