On 14/5/2021 10:17 π.μ., fr...@tembo.be wrote:
To keep them hidden, what I would recommend, is to create
private.noa.gr <http://private.noa.gr> as a separate zone (so add NS
records for it in the noa.gr <http://noa.gr> zone and create a new
zone), and add example.privrate.noa.gr
<http://example.privrate.noa.gr> to that zone. You can then deny AXFRs
for that zone. People who can AXFR noa.gr <http://noa.gr> can still
see that a private.noa.gr <http://private.noa.gr> zone exists (as they
would see the NS delegation), but they can't see what's in it.
Thank you Frank,
Some questions:
1. How can we configure PowerDNS (Authoritative) to deny AXFRs for a
particular zone? I have seen domainmetadata documentation at:
https://doc.powerdns.com/authoritative/domainmetadata.html
but this functionality is documented as not available for non-DNSSEC
capable backends as is ours (LDAP).
2. If anyone on the Internet looks up *directly* a particular hostname
under private.noa.gr zone (e.g. example.private.noa.gr), won't they be
able to see data about it? Shouldn't we somehow deny all Internet
requests for that particular zone (in addition to AXFRs), and only allow
internal requests?
If so, how do we configure PowerDNS (Authoritative) to allow requests
only from specific IP ranges for that particular zone?
Thanks again,
Nick
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
