Re: [Pdns-users] Prevent external lookup of (private) subdomains
On 23/09/2021 14:31, inform...@trinaxab.se wrote: I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration. Exactly. You can stand up a separate nameserver purely for responding to ACME challenges, and delegate to it using intra.example.com. NS acme-ns.example.com. You don't even need to run multiple nameservers, because the normal RFC2182 redundancy requirements don't come into play here. That makes answering DNS01 challenges much faster, as you don't need to wait for updates to replicate to secondary nameservers. If you want to issue certs for hosts which are not under intra.example.com, you can still do so: just add static NS records like _acme-challenge.www.example.com. NS acme-ns.example.com. for each name that you want to issue a cert for. Best practice is to create separate zones for these on your acme-ns nameserver, with different TSIG keys, so that each host is only able to issue certs for its own hostname(s). I like this approach because you can keep your robust, static public DNS as-is, and not have to introduce any dynamic DNS updates into it. Regards, Brian. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Prevent external lookup of (private) subdomains
September 22, 2021 1:06 PM, "Brian Candler" wrote: > On 22/09/2021 10:54, inform...@trinaxab.se wrote: > >> July 9, 2021 5:12 PM, "Brian Candler" wrote: >>> On 09/07/2021 15:29, inform...@trinaxab.se wrote: Specifically, the intention is to use a single wildcard certificate *.intra.example.com rather than one for each subdomain. I don't know if that changes anything. >>> No difference. You just need to be able to insert TXT records in the zone >>> _acme-challenge.intra.example.com >>> to get a wildcard cert for *.intra.example.com. (Note that wildcard certs >>> only match one level: >>> e.g. "accounts.intra.example.com" will match but not >>> "mail.accounts.intra.example.com") >> How do I set this up? I haven't really worked with DNS on this level before. >> I find things relating >> to DNS updates, AXFR, TSIG and master/slave configurations, but I'm not sure >> which of those are >> relevant. > In short: > > - if you've decided to use PowerDNS as the authoritative server for > intra.example.com, you need to > choose a backend which allows dynamic updates (i.e. not the BIND backend; one > of the SQL ones will > be fine) > - you need to enable dynamic updates (e.g. using TSIG or via the API > depending on how you're going > to perform the updates) > - you need to configure your ACME client to perform the updates. > > For example, "dehydrated" is a shell script for obtaining certificates, and > here's a script which > can do TSIG updates. Here are others which can do direct mysql updates or API > updates. > > I've not tested any of these with PowerDNS (I use bind for LetsEncrypt as it > doesn't need a > database), so I'm afraid you need to put these bits together yourself. > > Make sure you point at the LetsEncrypt "staging environment" while you're > testing this, otherwise > you'll hit rate limits that will prevent you making further API calls to > LetsEncrypt for several > hours. Once all the challenge/response stuff is working, then switch to the > production environment > to get real certs. Right, I think I completely misunderstood everything. For some reason I thought I needed to configure the two DNS servers to send updates to each other or something, but now I see that it's not nearly that complicated. I found the following certbot plugins, of which I've successfully implemented the latter: https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://pypi.org/project/certbot-dns-powerdns/ I don't necessarily need to use PowerDNS for the ACME DNS server, so I might employ bind with the former plugin instead, since it's only going to be a minimal DNS configuration. Thank you! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] First alpha release of dnsdist 1.7.0
Hi everyone, We are proud to announce the first alpha release of dnsdist 1.7.0. This release contains several new exciting features, as well as improvements and bug fixes. In our view, the most exciting new feature is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do "cross-protocol" queries, meaning a query received over a given protocol (UDP, TCP, DoT, DoH, ...) can be forwarded over a different one. Now that dnsdist is capable of contacting its backend over an encrypted channel, full end-to-end encryption is possible, offering improved confidentiality and integrity. This release also reduces the memory footprint of dnsdist in several places, which makes it easier to use in resource-constrained environments. We added support for generating the still experimental SVCB and HTTPS records directly from dnsdist, offering potential benefits to both performance and privacy. Our LMDB code has gained the ability to do range-based lookups, and is now more efficient even for simple lookups. Extending the per-thread custom load-balancing policies introduced in 1.6.0, it is now possible to write blazing-fast, lock-less per-thread custom actions using the Lua foreign function interface. Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, making it possible to reuse a TCP connection used for a zone transfer much more efficiently. Holger Hoffstätte also improved the reporting of an unavailable backend, making sure the existing metrics are no longer reported to prevent any confusion. Please see the dnsdist website [1] for the more complete changelog [2] and the current documentation. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub. Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster, Bullseye, and Ubuntu Bionic and Focal are available from our repository. With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x releases will go into critical security fixes only mode. Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release! [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.7.0-alpha1 [3]: https://github.com/PowerDNS/pdns/issues/new/choose [4]: https://downloads.powerdns.com/releases/dnsdist-1.7.0-alpha1.tar.bz2 [5]: hhttps://downloads.powerdns.com/releases/dnsdist-1.7.0-alpha1.tar.bz2.sig [6]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature Description: OpenPGP digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
