[Pdns-users] Prevent external lookup of (private) subdomains
Brian Candler
b.candler at pobox.com
Fri Jul 9 14:03:11 UTC 2021
On 09/07/2021 14:43, informant--- via Pdns-users wrote:
> I intend to set up a PowerDNS authoritative server and recursor, where
> a few subdomains will be forwarded to the auth server for internal use
> only. (local IP addresses) We do not wish to allow lookups for these
> domains by any external host. So far, so good.
>
> Now, additionally, I would like to employ Let’s Encrypt certificates
> for these private services by using DNS wildcard challenge. This, of
> course, requires that the DNS server be public. My question, then, is
> can I set up PowerDNS in such a way that the DNS server allows the
> necessary lookups required to complete the DNS challenge, but prevents
> lookups for any subdomains by any external host?
You have a domain like "int.example.com" where you don't want any names
to be visible to the outside world, but you want to be able to obtain
certificates for them. Correct?
The way I deal with this is to have a separate nameserver, say
ns-acme.example.com, and delegate int.example.com to that server (in the
public DNS):
int.example.com. NS ns-acme.example.com.
The zone file on ns-acme is empty, so if anyone tries to resolve
XXX.int.example.com they'll get NXDOMAIN. However, you also set up TSIG
zones on this server so that servers can response to DNS01 challenges.
You can either just have a single TSIG record which allows all updates
to the domain; or (more securely) you can create separate zones on the
nameserver, e.g.
_acme-challenge.foo.int.example.com
_acme-challenge.bar.int.example.com
so that the servers foo.int.example.com and bar.int.example.com have
separate TSIG keys, and can only issue certs for themselves.
Any lightweight authoritative DNS server that supports TSIG updates is
fine - e.g. powerdns with SQLite backend, BIND with filebackend.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210709/f27cad63/attachment.htm>
More information about the Pdns-users
mailing list