[Pdns-users] Private IP Addresses in DNS Records

Nikolaos Milas nmilas at admin.noa.gr
Fri May 14 12:03:53 UTC 2021

On 14/5/2021 10:17 π.μ., frank at tembo.be wrote:

> To keep them hidden, what I would recommend, is to create 
> private.noa.gr <http://private.noa.gr> as a separate zone (so add NS 
> records for it in the noa.gr <http://noa.gr> zone and create a new 
> zone), and add example.privrate.noa.gr 
> <http://example.privrate.noa.gr> to that zone. You can then deny AXFRs 
> for that zone. People who can AXFR noa.gr <http://noa.gr> can still 
> see that a private.noa.gr <http://private.noa.gr> zone exists (as they 
> would see the NS delegation), but they can't see what's in it.

Thank you Frank,

Some questions:

1. How can we configure PowerDNS (Authoritative) to deny AXFRs for a 
particular zone? I have seen domainmetadata documentation at:


but this functionality is documented as not available for non-DNSSEC 
capable backends as is ours (LDAP).

2. If anyone on the Internet looks up *directly* a particular hostname 
under private.noa.gr zone (e.g. example.private.noa.gr), won't they be 
able to see data about it? Shouldn't we somehow deny all Internet 
requests for that particular zone (in addition to AXFRs), and only allow 
internal requests?

If so, how do we configure PowerDNS (Authoritative) to allow requests 
only from specific IP ranges for that particular zone?

Thanks again,

More information about the Pdns-users mailing list