When deploying PowerDNS Recursor for our customers, we had an issue with how to hide some responses/zones to external IPs. The way we implemented this solution is via LUA scripting.
-- Set Private Zone myDomain = newDN("private.com") -- Whitelist IPs myNetblock = newNMG() myNetblock:addMask("192.168.0.0/24") myNetblock:addMask("192.168.9.0/24") function preresolve(dq) if dq.qname:isPartOf(myDomain) and myNetblock:match(dq.remoteaddr) and dq.qtype == pdns.A then -- if the dns requests is for the private zone by trusted IP, proceed to respond. return false elseif dq.qname:isPartOf(myDomain) and dq.qtype == pdns.A then -- if the dns requests is for the private zone by UNtrusted IP, do not respond for A record requests pdnslog ("Remote IP " .. dq.remoteaddr:toString() .. " for domain=" .. dq.qname:toString() .. ", type=" .. tostring(dq.qtype) ) return true else -- function normally for everything else. return false end end
In the above example, we set the zone/domain that needs to be private, next select which IP addresses are allowed to see the records and finally the logic via the preresolve() function.