Last active
March 8, 2024 23:21
-
-
Save towo/904bcae33aeabd0ee718649fc0b43ed4 to your computer and use it in GitHub Desktop.
ACL / query restriction for PowerDNS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
newServer('127.0.0.1:4201') | |
addLocal('127.0.0.1:53') | |
addLocal('10.1.0.1:53', true, true, 0) | |
addLocal('203.0.113.42:53', true, true, 0) | |
setACL('0.0.0.0/0') | |
internalDomains = newSuffixMatchNode(); | |
internalDomains:add(newDNSName("alpha.example.com.")) | |
internalDomains:add(newDNSName("beta.example.com.")) | |
addAction(RegexRule('^(alpha|beta)\\.example\\.com$'), AllowAction()) | |
addAction(AndRule({NotRule(makeRule('10.0.0.0/8')), SuffixMatchNodeRule(internalDomains)}), RCodeAction(dnsdist.REFUSED)) | |
addAction(NotRule(makeRule('10.0.0.0/8')), NoRecurseAction()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Restricting queries in PowerDNS
By default, PowerDNS behaves like a good internet DNS citizen and doesn't allow you to adjust your output depending on
who's asking. If you don't look to hard at Response Policy Zones, anyway.
But say you have an internal DNS zone you're not particulary prone to leak to the outside. What are you gonna do?
Use dnsdist.
dnsdist is supposed to be a load balancer you put in front of your DNS servers, but additionally, it allows you to use
a bit of LUA to match packets and apply actions to them.
The following example defines two DNS suffixes - alpha and beta - that give you a
REFUSED
response if you try to querythem from non-local addresses (represented by 10.0.0.0/8 here). Additionally, the
RegexRule
allows you to still allow therecords of the subzone itself to be queried - useful if it is the public-facing front of a sub network, for example. Just
skip them if you don't want to allow that kind of access.