When deploying PowerDNS Recursor for our customers, we had an issue with how to hide some responses/zones to external IPs. The way we implemented this solution is via LUA scripting.
-- Set Private Zone
myDomain = newDN("private.com")
-- Whitelist IPs
myNetblock = newNMG()
myNetblock:addMask("192.168.0.0/24")
myNetblock:addMask("192.168.9.0/24")
function preresolve(dq)
if dq.qname:isPartOf(myDomain) and myNetblock:match(dq.remoteaddr) and dq.qtype == pdns.A then
-- if the dns requests is for the private zone by trusted IP, proceed to respond.
return false
elseif dq.qname:isPartOf(myDomain) and dq.qtype == pdns.A then
-- if the dns requests is for the private zone by UNtrusted IP, do not respond for A record requests
pdnslog ("Remote IP " .. dq.remoteaddr:toString() .. " for domain=" .. dq.qname:toString() .. ", type=" .. tostring(dq.qtype) )
return true
else
-- function normally for everything else.
return false
end
end
In the above example, we set the zone/domain that needs to be private, next select which IP addresses are allowed to see the records and finally the logic via the preresolve() function.
Leave a Reply