sorry if my question is too long.
I have 4 PowerDNS servers, as below with sample IPs.
ns1.example.com 1.1.1.1
ns2.example.com 2.2.2.2
rec1.example.com 3.3.3.3
rec2.example.com 4.4.4.4
in my network, ns1 & ns2 are authoritative servers that have some zones and reverse_zones.
and rec1 & rec2 are recursor DNS servers.
I have configured rec1&rec2 to ask for my own zones from ns1&ns2 with "forward-zones" on powerdns/recursor.conf which is work fine.
and also I configure "forward-zones-recurse=.=8.8.8.8" to send all other queries to the google DNS which it works too.
I have so many subnets(clients) in my network that use rec1 & rec2 as their main DNS servers on their machines.
they ask any domain from rec1&rec2 according to the domain the rec1&rec2 ask that query from ns1&ns2 or from google.
to this point I have no problem, my clients can query successfully for any address.
my problem is that my rec1&rec2 became "open_resolver" to the internet, I mean anyone from the internet can send DNS queries to these servers and they work.
I configured "allow-from=my_subnets" in the powerdns/recursor.conf but it cause a problem, which is the internet servers like gmail servers cannot lookup for my reverse_zone. so all my PTR records are not available on the internet.
and if I change the "allow-from=" to 0.0.0.0/0 they became open_resolver for all IPs and any queries
I wonder if there is a solution to solve it like in the Bind9 which I can use "allow_query {trusted;}" for each zone in the named.conf.option. so I can control the Bind server to become open_resolver and just answer my own reverse_zone to the internet but no other question.
I would be glad if someone can help me.
thank you in advanced
