[Pdns-users] Prevent external lookup of (private) subdomains
Brian Candler
b.candler at pobox.com
Wed Sep 22 11:06:44 UTC 2021
On 22/09/2021 10:54, informant at trinaxab.se wrote:
> July 9, 2021 5:12 PM, "Brian Candler"<b.candler at pobox.com> wrote:
>
>> On 09/07/2021 15:29,informant at trinaxab.se wrote:
>>
>>> Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than
>>> one for each subdomain. I don't know if that changes anything.
>> No difference. You just need to be able to insert TXT records in the zone
>>
>> _acme-challenge.intra.example.com
>>
>> to get a wildcard cert for *.intra.example.com. (Note that wildcard certs only match one level:
>> e.g. "accounts.intra.example.com" will match but not "mail.accounts.intra.example.com")
> How do I set this up? I haven't really worked with DNS on this level before. I find things relating to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure which of those are relevant.
In short:
- if you've decided to use PowerDNS as the authoritative server for
intra.example.com, you need to choose a backend which allows dynamic
updates (i.e. not the BIND backend; one of the SQL ones will be fine)
- you need to enable dynamic updates (e.g. using TSIG or via the API
depending on how you're going to perform the updates)
- you need to configure your ACME client to perform the updates.
For example, "dehydrated <https://dehydrated.io/>" is a shell script for
obtaining certificates, and here's a script which can do TSIG updates
<https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script>.
Here are others which can do direct mysql updates
<https://github.com/antoiner77/dehyrated-pdns> or API updates
<https://github.com/silkeh/pdns_api.sh>.
I've not tested any of these with PowerDNS (I use bind for LetsEncrypt
as it doesn't need a database), so I'm afraid you need to put these bits
together yourself.
Make sure you point at the LetsEncrypt "staging environment" while
you're testing this, otherwise you'll hit rate limits that will prevent
you making further API calls to LetsEncrypt for several hours. Once all
the challenge/response stuff is working, then switch to the production
environment to get real certs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210922/edc1ffa3/attachment.htm>
More information about the Pdns-users
mailing list