[Pdns-users] Private IP Addresses in DNS Records
b.candler at pobox.com
Fri May 14 16:42:05 UTC 2021
On 14/05/2021 16:13, Nikolaos Milas wrote:
> Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs);
> GUAs are reachable indeed.
GUAs aren't necessarily reachable: you can have internal ranges that are
not routed, or blocked by ACLs. Or he might have meant ULAs.
Either way, I agree with him. I am perfectly happy publishing private
and unreachable addresses in the public DNS, for the very reason that
they are not reachable! Hence it doesn't matter whether anyone can
resolve them or not.
If company policy doesn't let you work that way, and you still want to
use PowerDNS, then setting up a separate private DNS authoritative
service is the simplest way to do it. PowerDNS doesn't have "views"
like bind: it's designed for ISP-scale robustness and performance. To
do clever tricks like answering differently depending on the source IP
address, then you can use dnsdist in front, or you can use LUA scripting.
As for controlling AXFRs: that's normally done by TSIG authentication
and/or by source IP address restrictions, but as I don't use LDAP as the
backend, I'm afraid I can't tell you whether it's supported with that.
More information about the Pdns-users