[Pdns-users] DNSSEC + Split DNS
Brian Candler
b.candler at pobox.com
Thu Apr 9 09:47:34 UTC 2026
On 09/04/2026 10:24, rob777 via Pdns-users wrote:
>
> Response Policy Zone on the recursor is the way I'd do it. This is
> what RPZ is designed for: to override specific DNS answers.
>
> I've used to do it with Bind Views in the past as i've had BIND
> running. As i've migrated to Powerdns this generated some issues
> obviously since bind view wasnt available then and it has to be done
> with LUA Records.
>
> This historical thing with Shadow Records is something that is
> difficult to clean up and fix for different reasons. And it
> regularly comes back and bites me in the ass..
RPZs are the "standard" mechanism for this; people use it for things
like ad and porn blocking, but really it does exactly what you need.
PowerDNS has had it for ten years:
https://blog.powerdns.com/2016/06/28/response-policy-zone-support-in-powerdns-recursor
Example YAML config:
recursor:
rpzs:
- name: /etc/powerdns/rpz.zone
# content of file /etc/powerdns/rpz.zone
$TTL 300
@ IN SOA localhost. root.localhost. (
2026040900 60 60 43200 60
)
IN NS localhost.
www.powerdns.com A 1.2.3.4
# Testing:
dig @localhost www.powerdns.com. a
...
;; ANSWER SECTION:
www.powerdns.com. 268 IN A 1.2.3.4
It's as simple as that. In this single zone, you list all the records
you want to override, as subdomains of the policy zone (hence no dot
after "www.powerdns.com" in the example above).
If you wish, you can make the RPZ a real DNS zone under a domain you
control (e.g. rpz.test.com) and then the recursor(s) can fetch it using
AXFR. Then you can manage it using whatever tools you use normally to
manage zone contents, and multiple recursors can fetch the same zone.
The above example bypasses this by using a local file.
There are other actions you put in RPZs to manipulate the responses: for
example a "CNAME ." record will give an NXDOMAIN response. Docs aren't
hard to find.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20260409/f4f5f4ed/attachment.htm>
More information about the Pdns-users
mailing list