[Pdns-users] Prevent external lookup of (private) subdomains

Brian Candler b.candler at pobox.com
Wed Sep 22 11:06:44 UTC 2021

On 22/09/2021 10:54, informant at trinaxab.se wrote:
> July 9, 2021 5:12 PM, "Brian Candler"<b.candler at pobox.com>  wrote:
>> On 09/07/2021 15:29,informant at trinaxab.se  wrote:
>>> Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than
>>> one for each subdomain. I don't know if that changes anything.
>> No difference. You just need to be able to insert TXT records in the zone
>> _acme-challenge.intra.example.com
>> to get a wildcard cert for *.intra.example.com. (Note that wildcard certs only match one level:
>> e.g. "accounts.intra.example.com" will match but not "mail.accounts.intra.example.com")
> How do I set this up? I haven't really worked with DNS on this level before. I find things relating to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure which of those are relevant.

In short:

- if you've decided to use PowerDNS as the authoritative server for 
intra.example.com, you need to choose a backend which allows dynamic 
updates (i.e. not the BIND backend; one of the SQL ones will be fine)
- you need to enable dynamic updates (e.g. using TSIG or via the API 
depending on how you're going to perform the updates)
- you need to configure your ACME client to perform the updates.

For example, "dehydrated <https://dehydrated.io/>" is a shell script for 
obtaining certificates, and here's a script which can do TSIG updates 
Here are others which can do direct mysql updates 
<https://github.com/antoiner77/dehyrated-pdns> or API updates 

I've not tested any of these with PowerDNS (I use bind for LetsEncrypt 
as it doesn't need a database), so I'm afraid you need to put these bits 
together yourself.

Make sure you point at the LetsEncrypt "staging environment" while 
you're testing this, otherwise you'll hit rate limits that will prevent 
you making further API calls to LetsEncrypt for several hours.  Once all 
the challenge/response stuff is working, then switch to the production 
environment to get real certs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210922/edc1ffa3/attachment.htm>

More information about the Pdns-users mailing list