PowerDNS as an internal resolver and a closed recursor

Question

I've got two freshly configured PowerDNS servers. One acts as a master, the second one as a slave. There are two daemons running on each of them: powerdns and powerdns-recursor. The first one binds to 5300 tcp port, the second one to 53. I added the following rules to recursor.conf (1.2.3.4 is the IP address of the server):

forward-zones=.=1.2.3.4:5300
forward-zones-recurse=.=1.2.3.4:5300;8.8.8.8

Thanks to them my servers resolve domains which are added internally as well as external domains like google.com. The only problem is that if I allow only my local IP addresses to send recursive queries, the internally added domains won't be reachable from the world. On the other hand, if I set the allow-from parameter to 0.0.0.0/0 in recursor.conf, my servers will be vulnerable to the DNS Amplification attacks. What should I do? I want to allow all IPs to query my servers for domains that they have the authority over, but disallow recursive queries.

Answer 1

For the scenario that you describe in the question, with a mix of clients expecting recursion and other clients expecting authoritative answers, pdns-rec is not what you should expose to the world in the first place.

Reading a little between the lines, I think what the question is actually about is how one runs both pdns-auth and pdns-rec off a single IP address now that pdns-auth no longer has the recursor configuration option that used the exist in the past.
For this, you should probably have a good look at the PowerDNS guide on Migrating from using recursion on the Authoritative Server to using a Recursor.

What that guide boils down to for your scenario is, first of all that the easiest and arguably best approach is to simply have these services on different IPs, but with the proposed alternative solution being sticking dnsdist in front of both your pdns-auth and pdns-rec instances (dnsdist is what will listen on port 53), letting dnsdist pass queries from clients that should have recursion to a pool with your pdns-rec instance and all other queries to a pool with your pdns-auth instance.