[Pdns-users] Prevent external lookup of (private) subdomains
Hi, I intend to set up a PowerDNS authoritative server and recursor, where a few subdomains will be forwarded to the auth server for internal use only. (local IP addresses) We do not wish to allow lookups for these domains by any external host. So far, so good. Now, additionally, I would like to employ Let’s Encrypt certificates for these private services by using DNS wildcard challenge. This, of course, requires that the DNS server be public. My question, then, is can I set up PowerDNS in such a way that the DNS server allows the necessary lookups required to complete the DNS challenge, but prevents lookups for any subdomains by any external host? In other words, can I allow lookups for intra.example.com from 0.0.0.0/0 while only allowing lookups for myservice.intra.example.com from 192.168.1.0/24? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Prevent external lookup of (private) subdomains
Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than one for each subdomain. I don't know if that changes anything. (also I'm new to this mailing list business) July 9, 2021 4:03 PM, "Brian Candler" mailto:b.cand...@pobox.com?to=%22Brian%20Candler%22%20)> wrote: On 09/07/2021 14:43, informant--- via Pdns-users wrote: I intend to set up a PowerDNS authoritative server and recursor, where a few subdomains will be forwarded to the auth server for internal use only. (local IP addresses) We do not wish to allow lookups for these domains by any external host. So far, so good. Now, additionally, I would like to employ Let’s Encrypt certificates for these private services by using DNS wildcard challenge. This, of course, requires that the DNS server be public. My question, then, is can I set up PowerDNS in such a way that the DNS server allows the necessary lookups required to complete the DNS challenge, but prevents lookups for any subdomains by any external host? You have a domain like "int.example.com" where you don't want any names to be visible to the outside world, but you want to be able to obtain certificates for them. Correct? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Prevent external lookup of (private) subdomains
I'm not too familiar with DNS updates, but am I understanding it correctly that it would be setup like so: I set up two different DNS servers, one public and one private. I delegate int.example.com to the public server in our global DNS. The private server will serve the actual subdomain records, and will send DNS updates to the public server. (in order to respond to ACME challenges?) Where can I find info on how to set up the TSIG keys and DNS updating on both ends? I have seen these, but do they cover everything? Because I still don't know where to start. https://doc.powerdns.com/authoritative/dnsupdate.html https://doc.powerdns.com/authoritative/tsig.html ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Prevent external lookup of (private) subdomains
August 16, 2021 10:10 AM, "informant--- via Pdns-users" wrote: > I'm not too familiar with DNS updates, but am I understanding it correctly > that it would be setup > like so: > > I set up two different DNS servers, one public and one private. I delegate > int.example.com to the > public server in our global DNS. The private server will serve the actual > subdomain records, and > will send DNS updates to the public server. (in order to respond to ACME > challenges?) > > Where can I find info on how to set up the TSIG keys and DNS updating on both > ends? > > I have seen these, but do they cover everything? Because I still don't know > where to start. > https://doc.powerdns.com/authoritative/dnsupdate.html > https://doc.powerdns.com/authoritative/tsig.html > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users Ok, this was meant to be a reply to this thread: https://mailman.powerdns.com/pipermail/pdns-users/2021-July/027319.html ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Prevent external lookup of (private) subdomains
July 9, 2021 5:12 PM, "Brian Candler" wrote: > On 09/07/2021 15:29, inform...@trinaxab.se wrote: > >> Specifically, the intention is to use a single wildcard certificate >> *.intra.example.com rather than >> one for each subdomain. I don't know if that changes anything. > No difference. You just need to be able to insert TXT records in the zone > > _acme-challenge.intra.example.com > > to get a wildcard cert for *.intra.example.com. (Note that wildcard certs > only match one level: > e.g. "accounts.intra.example.com" will match but not > "mail.accounts.intra.example.com") How do I set this up? I haven't really worked with DNS on this level before. I find things relating to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure which of those are relevant. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Prevent external lookup of (private) subdomains
September 22, 2021 1:06 PM, "Brian Candler" wrote: > On 22/09/2021 10:54, inform...@trinaxab.se wrote: > >> July 9, 2021 5:12 PM, "Brian Candler" wrote: >>> On 09/07/2021 15:29, inform...@trinaxab.se wrote: Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than one for each subdomain. I don't know if that changes anything. >>> No difference. You just need to be able to insert TXT records in the zone >>> _acme-challenge.intra.example.com >>> to get a wildcard cert for *.intra.example.com. (Note that wildcard certs >>> only match one level: >>> e.g. "accounts.intra.example.com" will match but not >>> "mail.accounts.intra.example.com") >> How do I set this up? I haven't really worked with DNS on this level before. >> I find things relating >> to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure >> which of those are >> relevant. > In short: > > - if you've decided to use PowerDNS as the authoritative server for > intra.example.com, you need to > choose a backend which allows dynamic updates (i.e. not the BIND backend; one > of the SQL ones will > be fine) > - you need to enable dynamic updates (e.g. using TSIG or via the API > depending on how you're going > to perform the updates) > - you need to configure your ACME client to perform the updates. > > For example, "dehydrated" is a shell script for obtaining certificates, and > here's a script which > can do TSIG updates. Here are others which can do direct mysql updates or API > updates. > > I've not tested any of these with PowerDNS (I use bind for LetsEncrypt as it > doesn't need a > database), so I'm afraid you need to put these bits together yourself. > > Make sure you point at the LetsEncrypt "staging environment" while you're > testing this, otherwise > you'll hit rate limits that will prevent you making further API calls to > LetsEncrypt for several > hours. Once all the challenge/response stuff is working, then switch to the > production environment > to get real certs. Right, I think I completely misunderstood everything. For some reason I thought I needed to configure the two DNS servers to send updates to each other or something, but now I see that it's not nearly that complicated. I found the following certbot plugins, of which I've successfully implemented the latter: https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://pypi.org/project/certbot-dns-powerdns/ I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration. Thank you! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
