22 Bře
2021
22 Bře
'21
10:04
Am 22.03.2021 um 09:27 schrieb Vladimír Čunát:
The idea is to reduce resources in general. Operating 2 independent
authoritative servers for a few domains which might not be queried more
than 10000 times per day seems like a waste.
I already thought that it would be possible as Cloudflare is using Knot
Resolver for its 1.1.1.1 service. But I wasn't sure how much effort it
would take to minimize attack surface and if it is worth it.
Anyways, thanks to everyone for chiming in an sharing your thoughts! I
will abandon this idea and think of another solution.
--
Alex JOST
With the previous message I wasn't sure but this
one made it clear to me:
On 3/22/21 8:41 AM, Alex JOST wrote:
That's what I was worrying about, thanks for the confirmation.
The scenario I was thinking about is:
* Have some real world TLDs (example.com) NS entry point to server A
and server B
* Server A and B both have Knot DNS installed but listening on
localhost port 5053
* Server A and B both have Knot Resolver installed and listening on
a public IP port 53
* Queries for example.com are received by Knot Resolver and
forwarded to Knot DNS
This won't fully work, as Knot Resolver only provides recursive
service. Some of the authoritative queries would therefore be answered
"wrong". * Any other
queries are resolved and answered by Knot Resolver
* There are no access restrictions for specific IP ranges
My concerns are:
* Is it feasible to run such a setup? Are there any drawbacks?
The only "advantage" I can see in combining both kinds of servers is
that you could save a public IP address, assuming you want to run a
public resolver for some other reason. * Is it
possible to (more or less) safely run Knot Resolver as an
open resolver?
It's perhaps not relevant for you now, but Knot Resolver should be fine
as a public resolver (i.e. intentionally open resolver). We also run
such a service ourselves: https://nic.cz/odvr/