[Pdns-users] Prevent external lookup of (private) subdomains

Brian Candler b.candler at pobox.com
Fri Jul 9 14:03:11 UTC 2021


On 09/07/2021 14:43, informant--- via Pdns-users wrote:
> I intend to set up a PowerDNS authoritative server and recursor, where 
> a few subdomains will be forwarded to the auth server for internal use 
> only. (local IP addresses) We do not wish to allow lookups for these 
> domains by any external host. So far, so good.
>
> Now, additionally, I would like to employ Let’s Encrypt certificates 
> for these private services by using DNS wildcard challenge. This, of 
> course, requires that the DNS server be public. My question, then, is 
> can I set up PowerDNS in such a way that the DNS server allows the 
> necessary lookups required to complete the DNS challenge, but prevents 
> lookups for any subdomains by any external host?

You have a domain like "int.example.com" where you don't want any names 
to be visible to the outside world, but you want to be able to obtain 
certificates for them.  Correct?

The way I deal with this is to have a separate nameserver, say 
ns-acme.example.com, and delegate int.example.com to that server (in the 
public DNS):

int.example.com.  NS  ns-acme.example.com.

The zone file on ns-acme is empty, so if anyone tries to resolve 
XXX.int.example.com they'll get NXDOMAIN.  However, you also set up TSIG 
zones on this server so that servers can response to DNS01 challenges.

You can either just have a single TSIG record which allows all updates 
to the domain; or (more securely) you can create separate zones on the 
nameserver, e.g.

_acme-challenge.foo.int.example.com
_acme-challenge.bar.int.example.com

so that the servers foo.int.example.com and bar.int.example.com have 
separate TSIG keys, and can only issue certs for themselves.

Any lightweight authoritative DNS server that supports TSIG updates is 
fine - e.g. powerdns with SQLite backend, BIND with filebackend.

Regards,

Brian.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210709/f27cad63/attachment.htm>


More information about the Pdns-users mailing list