Comments

• 

  20 days ago by opithart | Reply

  Result

  In the end, I chose quite an unusual software stack to handle my needs. It is a combination of both PowerDNS and KnotDNS (made by nic.cz). I've decided on a two slave node and hidden master setup. PowerDNS as the master and Knot as the slaves and recursors for handling client queries other than for hkfree.org zone.

  The hidden master

  The hidden master term basically means just that the master authoritative server is not going to be handling client queries at all. It's job is to be the "single source of truth" of all the zones and records. Any change on the master is propagated to the slaves in the matter of seconds with DNS zone transfer and AXFR queries.

  Another big goal of my project is to make DNS management easy for around 80 "region admins" we have in hkfree.org. For that I chose PowerDNS-Admin. It looks nice, is fast, responsive and has great integration with powerdns authoritative server REST API.

  The slaves

  For the slaves, we have two Dell R720 servers, we want high reliability after all. They both have identical setup as the slaves. Firstly, they both have VRRP (Virtual Router Redundancy Protocol) running on them for highly avaliable fixed IP address for handling client queries.

  As the DNS queries come in, they firstly go to Knotdns recursor, which has some security policies setup. Mainly those that ignore any PTR queries from outside our network. We do not want to leak our IP addressing scheme to the whole internet.

  The cleverness is in the recursor rules. Here is an example of how the policies are configured.

  -- Domain list definitions
  public_reverse = policy.todnames({'248.89.in-addr.arpa'})
  all_-reverse = policy.todnames({'107.10.in-addr.arpa', '207.10.in-addr.arpa', '248.89.in-addr.arpa'})
  all_hkf = policy.todnames({'hkfree.org', '107.10.in-addr.arpa', '207.10.in-addr.arpa', '248.89.in-addr.arpa'})
  only_public = policy.todnames({'hkfree.org', '248.89.in-addr.arpa'})
  
  -- Allow our reverse records because default is blocking them per RFC 6761#section-6
  policy.add(policy.suffix(policy.PASS, all_reverse))
  
  -- Allow all 
  view:addr('10.107.0.0/16', policy.suffix(policy.STUB({'127.0.0.2@53'}), all_hkf))
  view:addr('10.107.0.0/16', policy.all(policy.PASS))
  
  view:addr('89.248.240.0/20', policy.suffix(policy.STUB({'127.0.0.2@53'}), all_hkf))
  view:addr('89.248.240.0/20', policy.all(policy.PASS))
  
  -- Drop all IPv4 that hasn't matched
  view:addr('0.0.0.0/0', policy.suffix(policy.STUB({'127.0.0.2@53'}), only_public))
  view:addr('0.0.0.0/0', policy.all(policy.DROP))
  

  After the recursor, it's time for KnotDNS authoritative server to shine. It's set up as a slave with all our hkfree.org zones. When a change occurs on the hidden-master, it immediately notifies both slaves and updates the changed records. Thus a change in from the web interface is propagated to all the slaves in the matter of seconds.

  Deplyment

  Since this project is a part of our critical infrastructure, it has to have a testing period before we can switch to it. After necessary testing, more than 30 000 device will be using my project. ( ~5000 households each average 6 devices )

  Conclusion

  I have greatly enjoyed my first Hack Week, I've learned a lot of new stuff, failed a few times, reworked the architecture a few times and had lengthy debates with my friends and colleagues about how it all should and shouldn't work. It gave me a new view on the whole concept of the Domain Name System and it's interworkings. I'll perhaps update this thread when the project is finally deployed in production.

  I am looking forward to my next Hackweek project.

×
Edit Comment 9409
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
## Result In the end, I chose quite an unusual software stack to handle my needs. It is a combination of both PowerDNS and KnotDNS (made by nic.cz). I've decided on a two slave node and hidden master setup. PowerDNS as the master and Knot as the slaves and recursors for handling client queries other than for `hkfree.org` zone. ### The hidden master The hidden master term basically means just that the master authoritative server is not going to be handling client queries at all. It's job is to be the "single source of truth" of all the zones and records. Any change on the master is propagated to the slaves in the matter of seconds with [DNS zone transfer](https://en.wikipedia.org/wiki/DNS_zone_transfer) and AXFR queries. Another big goal of my project is to make DNS management easy for around 80 "region admins" we have in hkfree.org. For that I chose [PowerDNS-Admin](https://github.com/PowerDNS-Admin/PowerDNS-Admin). It looks nice, is fast, responsive and has great integration with powerdns authoritative server REST API. ### The slaves For the slaves, we have two Dell R720 servers, we want high reliability after all. They both have identical setup as the slaves. Firstly, they both have VRRP ([Virtual Router Redundancy Protocol](https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol)) running on them for highly avaliable fixed IP address for handling client queries. As the DNS queries come in, they firstly go to Knotdns recursor, which has some security policies setup. Mainly those that ignore any PTR queries from outside our network. We do not want to leak our IP addressing scheme to the whole internet. The cleverness is in the recursor rules. Here is an example of how the policies are configured. -- Domain list definitions public_reverse = policy.todnames({'248.89.in-addr.arpa'}) all_-reverse = policy.todnames({'107.10.in-addr.arpa', '207.10.in-addr.arpa', '248.89.in-addr.arpa'}) all_hkf = policy.todnames({'hkfree.org', '107.10.in-addr.arpa', '207.10.in-addr.arpa', '248.89.in-addr.arpa'}) only_public = policy.todnames({'hkfree.org', '248.89.in-addr.arpa'}) -- Allow our reverse records because default is blocking them per RFC 6761#section-6 policy.add(policy.suffix(policy.PASS, all_reverse)) -- Allow all view:addr('10.107.0.0/16', policy.suffix(policy.STUB({'127.0.0.2@53'}), all_hkf)) view:addr('10.107.0.0/16', policy.all(policy.PASS)) view:addr('89.248.240.0/20', policy.suffix(policy.STUB({'127.0.0.2@53'}), all_hkf)) view:addr('89.248.240.0/20', policy.all(policy.PASS)) -- Drop all IPv4 that hasn't matched view:addr('0.0.0.0/0', policy.suffix(policy.STUB({'127.0.0.2@53'}), only_public)) view:addr('0.0.0.0/0', policy.all(policy.DROP)) After the recursor, it's time for KnotDNS authoritative server to shine. It's set up as a slave with all our hkfree.org zones. When a change occurs on the hidden-master, it immediately notifies both slaves and updates the changed records. Thus a change in from the web interface is propagated to all the slaves in the matter of seconds. ### Deplyment Since this project is a part of our critical infrastructure, it has to have a testing period before we can switch to it. After necessary testing, more than 30 000 device will be using my project. ( ~5000 households each average 6 devices ) ## Conclusion I have greatly enjoyed my first Hack Week, I've learned a lot of new stuff, failed a few times, reworked the architecture a few times and had lengthy debates with my friends and colleagues about how it all should and shouldn't work. It gave me a new view on the whole concept of the Domain Name System and it's interworkings. I'll perhaps update this thread when the project is finally deployed in production. I am looking forward to my next Hackweek project.
 
×
Reply to opithart
Result
In the end, I chose quite an unusual software stack to handle my needs. It is a combination of both PowerDNS and KnotDNS (made by nic.cz). I've decided on a two slave node and hidden master setup. PowerDNS as the master and Knot as the slaves and recursors for handling client queries other than for hkfree.org zone.
The hidden master
The hidden master term basically means just that the master authoritative server is not going to be handling client queries at all. It's job is to be the "single source of truth" of all the zones and records. Any change on the master is propagated to the slaves in the matter of seconds with DNS zone transfer and AXFR queries.
Another big goal of my project is to make DNS management easy for around 80 "region admins" we have in hkfree.org. For that I chose PowerDNS-Admin. It looks nice, is fast, responsive and has great integration with powerdns authoritative server REST API.
The slaves
For the slaves, we have two Dell R720 servers, we want high reliability after all. They both have identical setup as the slaves. Firstly, they both have VRRP (Virtual Router Redundancy Protocol) running on them for highly avaliable fixed IP address for handling client queries.
As the DNS queries come in, they firstly go to Knotdns recursor, which has some security policies setup. Mainly those that ignore any PTR queries from outside our network. We do not want to leak our IP addressing scheme to the whole internet.
The cleverness is in the recursor rules. Here is an example of how the policies are configured.
-- Domain list definitions
public_reverse = policy.todnames({'248.89.in-addr.arpa'})
all_-reverse = policy.todnames({'107.10.in-addr.arpa', '207.10.in-addr.arpa', '248.89.in-addr.arpa'})
all_hkf = policy.todnames({'hkfree.org', '107.10.in-addr.arpa', '207.10.in-addr.arpa', '248.89.in-addr.arpa'})
only_public = policy.todnames({'hkfree.org', '248.89.in-addr.arpa'})

-- Allow our reverse records because default is blocking them per RFC 6761#section-6
policy.add(policy.suffix(policy.PASS, all_reverse))

-- Allow all 
view:addr('10.107.0.0/16', policy.suffix(policy.STUB({'127.0.0.2@53'}), all_hkf))
view:addr('10.107.0.0/16', policy.all(policy.PASS))

view:addr('89.248.240.0/20', policy.suffix(policy.STUB({'127.0.0.2@53'}), all_hkf))
view:addr('89.248.240.0/20', policy.all(policy.PASS))

-- Drop all IPv4 that hasn't matched
view:addr('0.0.0.0/0', policy.suffix(policy.STUB({'127.0.0.2@53'}), only_public))
view:addr('0.0.0.0/0', policy.all(policy.DROP))
After the recursor, it's time for KnotDNS authoritative server to shine. It's set up as a slave with all our hkfree.org zones. When a change occurs on the hidden-master, it immediately notifies both slaves and updates the changed records. Thus a change in from the web interface is propagated to all the slaves in the matter of seconds.
Deplyment
Since this project is a part of our critical infrastructure, it has to have a testing period before we can switch to it. After necessary testing, more than 30 000 device will be using my project. ( ~5000 households each average 6 devices )
Conclusion
I have greatly enjoyed my first Hack Week, I've learned a lot of new stuff, failed a few times, reworked the architecture a few times and had lengthy debates with my friends and colleagues about how it all should and shouldn't work. It gave me a new view on the whole concept of the Domain Name System and it's interworkings. I'll perhaps update this thread when the project is finally deployed in production.
I am looking forward to my next Hackweek project.
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview