<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><div data-html-editor-font-wrapper="true" style="font-family: arial, sans-serif; font-size: 13px;"><p class="MsoNormal"><span style="font-size:12px;"><span style="font-family:Tahoma,Geneva,sans-serif;">Hi,</span></span><br><br><span style="font-size:12px;"><span style="font-family:Tahoma,Geneva,sans-serif;">I intend to set up a PowerDNS authoritative server and recursor, where a few subdomains will be forwarded to the auth server for internal use only. (local IP addresses) We do not wish to allow lookups for these domains by any external host. So far, so good.</span></span><br><br><span style="font-size:12px;"><span style="font-family:Tahoma,Geneva,sans-serif;">Now, additionally, I would like to employ Let’s Encrypt certificates for these private services by using DNS wildcard challenge. This, of course, requires that the DNS server be public. My question, then, is can I set up PowerDNS in such a way that the DNS server allows the necessary lookups required to complete the DNS challenge, but prevents lookups for any subdomains by any external host?</span></span><br><br><span style="font-size:12px;"><span style="font-family:Tahoma,Geneva,sans-serif;">In other words, can I allow lookups for intra.example.com from 0.0.0.0/0 while only allowing lookups for myservice.intra.example.com from 192.168.1.0/24?</span></span></p></div></body></html>