1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
.. _dns-forwarding:
##############
DNS Forwarding
##############
VyOS provides DNS infrastructure for small networks. It is designed to be
lightweight and have a small footprint, suitable for resource constrained
routers and firewalls, for this we utilize PowerDNS recursor.
VyOS DNS forwarder doe not require an upstream DNS server. It can serve as a
full recursive DNS server - but it can also forward queries to configurable
upstream DNS servers.
.. cfgcmd:: set service dns forwarding system
Forward incoming DNS queries to the DNS servers configured under the ``system
name-server`` nodes.
.. cfgcmd:: set service dns forwarding name-server <address>
Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`.
You can configure multiple nameservers here.
.. cfgcmd:: set service dns forwarding domain <domain-name> server <address>
Forward received queries for a particular domain (specified via `domain-name`)
to a given name-server. Multiple nameservers can be specified.
.. note:: This also works for reverse-lookup zones e.g. ``18.172.in-addr.arpa``.
.. cfgcmd:: set service dns forwarding allow-from <network>
Given the fact that open DNS recursors could be used on DDOS amplification
attacts, you must configure the networks which are allowed to use this recursor.
A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and IPv6 networks
to query this server. This is on general a bad idea.
.. cfgcmd:: set service dns forwarding dnssec <off | process-no-validate | process | log-fail | validate>
The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can
be set with the dnssec setting. In order from least to most processing, these
are:
* **off** In this mode, no DNSSEC processing takes place. The recursor will not
set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and
AD bits in queries.
* **process-no-validate** In this mode the Recursor acts as a "security aware,
non-validating" nameserver, meaning it will set the DO-bit on outgoing queries
and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for
them (by means of a DO-bit in the query), except for zones provided through
the auth-zones setting. It will not do any validation in this mode, not even
when requested by the client.
* **process** When dnssec is set to process the behaviour is similar to
process-no-validate. However, the recursor will try to validate the data if
at least one of the DO or AD bits is set in the query; in that case, it will
set the AD-bit in the response when the data is validated successfully, or
send SERVFAIL when the validation comes up bogus.
* **log-fail** In this mode, the recursor will attempt to validate all data it
retrieves from authoritative servers, regardless of the client’s DNSSEC
desires, and will log the validation result. This mode can be used to
determine the extra load and amount of possibly bogus answers before turning
on full-blown validation. Responses to client queries are the same as with
process.
* **validate** The highest mode of DNSSEC processing. In this mode, all queries
will be be validated and will be answered with a SERVFAIL in case of bogus
data, regardless of the client’s request.
.. note:: the ``dig`` tool sets the AD-bit in the query. This might lead to
unexpected query results when testing. Set +noad on the dig commandline when
this is the case.
.. note:: the CD-bit is honored correctly for process and validate. For
log-fail, failures will be logged too.
Example
=======
Router with two interfaces eth0 (WAN link) and eth1 (LAN) does want to make
use of DNS split-horizon for example.com.
* DNS request for example.com need to get forwarded to IPv4 address 192.0.2.254
and IPv6 address 2001:db8:cafe::1
* All other DNS requests are forwarded to DNS server listening on 192.0.2.1,
192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff
* DNS server is listening on the LAN interface addresses only, 192.168.1.254
for IPv4 and 2001:db8::ffff for IPv6
* Only clients from the LAN segment (192.168.1.0/24) are allowed to use this
server
.. code-block:: none
set service dns forwarding domain example.com server 192.0.2.254
set service dns forwarding domain example.com server 2001:db8:cafe::1
set service dns forwarding name-server 192.0.2.1
set service dns forwarding name-server 192.0.2.2
set service dns forwarding name-server 2001:db8::1:ffff
set service dns forwarding name-server 2001:db8::2:ffff
set service dns forwarding listen-address 192.168.1.254
set service dns forwarding listen-address 2001:db8::ffff
set service dns forwarding allow-from 192.168.1.0/24
set service dns forwarding allow-from 2001:db8::/64
|