[Pdns-users] Private IP Addresses in DNS Records

Brian Candler b.candler at pobox.com
Fri May 14 16:42:05 UTC 2021


On 14/05/2021 16:13, Nikolaos Milas wrote:
> Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs); 
> GUAs are reachable indeed.
GUAs aren't necessarily reachable: you can have internal ranges that are 
not routed, or blocked by ACLs.  Or he might have meant ULAs.

Either way, I agree with him. I am perfectly happy publishing private 
and unreachable addresses in the public DNS, for the very reason that 
they are not reachable!  Hence it doesn't matter whether anyone can 
resolve them or not.

If company policy doesn't let you work that way, and you still want to 
use PowerDNS, then setting up a separate private DNS authoritative 
service is the simplest way to do it.  PowerDNS doesn't have "views" 
like bind: it's designed for ISP-scale robustness and performance.  To 
do clever tricks like answering differently depending on the source IP 
address, then you can use dnsdist in front, or you can use LUA scripting.

As for controlling AXFRs: that's normally done by TSIG authentication 
and/or by source IP address restrictions, but as I don't use LDAP as the 
backend, I'm afraid I can't tell you whether it's supported with that.



More information about the Pdns-users mailing list