PowerDNS Recursor – Hiding/Private Zones via LUA

When deploying PowerDNS Recursor for our customers, we had an issue with how to hide some responses/zones to external IPs. The way we implemented this solution is via LUA scripting.

-- Set Private Zone
myDomain = newDN("private.com")

-- Whitelist IPs
myNetblock = newNMG()
myNetblock:addMask("192.168.0.0/24")
myNetblock:addMask("192.168.9.0/24")

function preresolve(dq)
	if dq.qname:isPartOf(myDomain) and myNetblock:match(dq.remoteaddr) and dq.qtype == pdns.A then
		-- if the dns requests is for the private zone by trusted IP, proceed to respond.
		return false
	elseif dq.qname:isPartOf(myDomain) and dq.qtype == pdns.A then
		-- if the dns requests is for the private zone by UNtrusted IP, do not respond for A record requests
		pdnslog ("Remote IP " .. dq.remoteaddr:toString() .. " for domain=" .. dq.qname:toString() .. ", type=" .. tostring(dq.qtype) )
		return true
	else
		-- function normally for everything else.
		return false
	end
end

In the above example, we set the zone/domain that needs to be private, next select which IP addresses are allowed to see the records and finally the logic via the preresolve() function.