[Pdns-users] Prevent external lookup of (private) subdomains

informant at trinaxab.se informant at trinaxab.se
Thu Sep 23 13:31:07 UTC 2021


September 22, 2021 1:06 PM, "Brian Candler" <b.candler at pobox.com> wrote:

> On 22/09/2021 10:54, informant at trinaxab.se wrote:
> 
>> July 9, 2021 5:12 PM, "Brian Candler" <b.candler at pobox.com> wrote:
>>> On 09/07/2021 15:29, informant at trinaxab.se wrote:
>>>> Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than
>>>> one for each subdomain. I don't know if that changes anything.
>>> No difference. You just need to be able to insert TXT records in the zone
>>> _acme-challenge.intra.example.com
>>> to get a wildcard cert for *.intra.example.com. (Note that wildcard certs only match one level:
>>> e.g. "accounts.intra.example.com" will match but not "mail.accounts.intra.example.com")
>> How do I set this up? I haven't really worked with DNS on this level before. I find things relating
>> to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure which of those are
>> relevant.
> In short:
> 
> - if you've decided to use PowerDNS as the authoritative server for intra.example.com, you need to
> choose a backend which allows dynamic updates (i.e. not the BIND backend; one of the SQL ones will
> be fine)
> - you need to enable dynamic updates (e.g. using TSIG or via the API depending on how you're going
> to perform the updates)
> - you need to configure your ACME client to perform the updates.
> 
> For example, "dehydrated" is a shell script for obtaining certificates, and here's a script which
> can do TSIG updates. Here are others which can do direct mysql updates or API updates.
> 
> I've not tested any of these with PowerDNS (I use bind for LetsEncrypt as it doesn't need a
> database), so I'm afraid you need to put these bits together yourself.
> 
> Make sure you point at the LetsEncrypt "staging environment" while you're testing this, otherwise
> you'll hit rate limits that will prevent you making further API calls to LetsEncrypt for several
> hours. Once all the challenge/response stuff is working, then switch to the production environment
> to get real certs.

Right, I think I completely misunderstood everything. For some reason I thought I needed to configure the two DNS servers to send updates to each other or something, but now I see that it's not nearly that complicated.

I found the following certbot plugins, of which I've successfully implemented the latter:
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
https://pypi.org/project/certbot-dns-powerdns/

I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration.

Thank you!


More information about the Pdns-users mailing list