ACL / query restriction for PowerDNS

dnsdist.conf

newServer('127.0.0.1:4201')
addLocal('127.0.0.1:53')
addLocal('10.1.0.1:53', true, true, 0)
addLocal('203.0.113.42:53', true, true, 0)
setACL('0.0.0.0/0')
internalDomains = newSuffixMatchNode();
internalDomains:add(newDNSName("alpha.example.com."))
internalDomains:add(newDNSName("beta.example.com."))
addAction(RegexRule('^(alpha|beta)\\.example\\.com$'), AllowAction())
addAction(AndRule({NotRule(makeRule('10.0.0.0/8')), SuffixMatchNodeRule(internalDomains)}), RCodeAction(dnsdist.REFUSED))
addAction(NotRule(makeRule('10.0.0.0/8')), NoRecurseAction())

Restricting queries in PowerDNS

By default, PowerDNS behaves like a good internet DNS citizen and doesn't allow you to adjust your output depending on
who's asking. If you don't look to hard at Response Policy Zones, anyway.

But say you have an internal DNS zone you're not particulary prone to leak to the outside. What are you gonna do?

Use dnsdist.

dnsdist is supposed to be a load balancer you put in front of your DNS servers, but additionally, it allows you to use
a bit of LUA to match packets and apply actions to them.

The following example defines two DNS suffixes - alpha and beta - that give you a REFUSED response if you try to query
them from non-local addresses (represented by 10.0.0.0/8 here). Additionally, the RegexRule allows you to still allow the
records of the subzone itself to be queried - useful if it is the public-facing front of a sub network, for example. Just
skip them if you don't want to allow that kind of access.