Re: [Pdns-users] Private IP Addresses in DNS Records

[Kevin P. Fleming via Pdns-users]

On Fri, May 14, 2021 at 12:42 PM Brian Candler via Pdns-users
 wrote:
>
> On 14/05/2021 16:13, Nikolaos Milas wrote:
> > Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs);
> > GUAs are reachable indeed.
> GUAs aren't necessarily reachable: you can have internal ranges that are
> not routed, or blocked by ACLs.  Or he might have meant ULAs.

I have ULAs too, and some of them appear in public DNS records... but
I did mean GUAs, and Brian is right. Those are routable addresses, but
the firewall at the edge of my network will not allow incoming traffic
to those addresses (only replies to outgoing traffic). Thus, they are
not 'reachable'.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Brian Candler via Pdns-users]

On 14/05/2021 16:13, Nikolaos Milas wrote:
Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs); 
GUAs are reachable indeed.
GUAs aren't necessarily reachable: you can have internal ranges that are 
not routed, or blocked by ACLs.  Or he might have meant ULAs.


Either way, I agree with him. I am perfectly happy publishing private 
and unreachable addresses in the public DNS, for the very reason that 
they are not reachable!  Hence it doesn't matter whether anyone can 
resolve them or not.


If company policy doesn't let you work that way, and you still want to 
use PowerDNS, then setting up a separate private DNS authoritative 
service is the simplest way to do it.  PowerDNS doesn't have "views" 
like bind: it's designed for ISP-scale robustness and performance.  To 
do clever tricks like answering differently depending on the source IP 
address, then you can use dnsdist in front, or you can use LUA scripting.


As for controlling AXFRs: that's normally done by TSIG authentication 
and/or by source IP address restrictions, but as I don't use LDAP as the 
backend, I'm afraid I can't tell you whether it's supported with that.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Nikolaos Milas via Pdns-users]

On 14/5/2021 3:50 μ.μ., Kevin P. Fleming wrote:


I agree with this sentiment; my publicly-visible zones contain records
with both private addresses and with non-reachable public addresses
(IPv6 GUAs), and I'm fine with that. If someone can learn the address
of one of those systems, that doesn't cause any harm.


Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs); 
GUAs are reachable indeed.


However, the whole point of the discussion is exactly how to avoid 
publishing non-reachable (private and link-local) addresses to the 
Internet, and it seems to me that what you suggest is in fact the 
opposite of what Brian suggested.


Yet, it is important to know that by publishing to the Internet records 
with private and/or link-local addresses is not considered bad practice! 
Is there any documentation (RFC or good practice guidelines) on this 
subject?


I fully understand and accept Brian's point on running a separate 
internal authoritative server,  but if I could do the job by using a 
single authoritative server while keeping a subzone private, that would 
save me valuable administrative cost and would make my admin life 
easier, especially when taking into account that we are a relatively 
small organization with relatively few RRs.


So, if someone (Frank?) can hint on how to block AXFRs/requests for a 
delegated subzone (nevertheless hosted on the same authoritative 
server), that would accomplish what we require while keeping admin 
effort low.


Thanks everyone for your feedback! I still hope that there is a solution 
with our current setup (slightly reconfigured).


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Kevin P. Fleming via Pdns-users]

On Fri, May 14, 2021 at 8:41 AM Brian Candler via Pdns-users
 wrote:
>
> If you really care (and honestly, it's security-through-obscurity) then
> you can run a separate auth server for your internal DNS, and stick it
> on a private IP address that only your internal resolvers can reach.

I agree with this sentiment; my publicly-visible zones contain records
with both private addresses and with non-reachable public addresses
(IPv6 GUAs), and I'm fine with that. If someone can learn the address
of one of those systems, that doesn't cause any harm.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Brian Candler via Pdns-users]

On 14/05/2021 13:03, Nikolaos Milas via Pdns-users wrote:
2. If anyone on the Internet looks up *directly* a particular hostname 
under private.noa.gr zone (e.g. example.private.noa.gr), won't they be 
able to see data about it? Shouldn't we somehow deny all Internet 
requests for that particular zone (in addition to AXFRs), and only 
allow internal requests?


If so, how do we configure PowerDNS (Authoritative) to allow requests 
only from specific IP ranges for that particular zone? 



If you really care (and honestly, it's security-through-obscurity) then 
you can run a separate auth server for your internal DNS, and stick it 
on a private IP address that only your internal resolvers can reach.


You could also stick dnsdist in front of your main auth server - but 
unless you need it for other reasons, I'd say that's just another layer 
of complexity.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Nikolaos Milas via Pdns-users]

On 14/5/2021 10:17 π.μ., fr...@tembo.be wrote:

To keep them hidden, what I would recommend, is to create 
private.noa.gr  as a separate zone (so add NS 
records for it in the noa.gr  zone and create a new 
zone), and add example.privrate.noa.gr 
 to that zone. You can then deny AXFRs 
for that zone. People who can AXFR noa.gr  can still 
see that a private.noa.gr  zone exists (as they 
would see the NS delegation), but they can't see what's in it.


Thank you Frank,

Some questions:

1. How can we configure PowerDNS (Authoritative) to deny AXFRs for a 
particular zone? I have seen domainmetadata documentation at:


   https://doc.powerdns.com/authoritative/domainmetadata.html

but this functionality is documented as not available for non-DNSSEC 
capable backends as is ours (LDAP).


2. If anyone on the Internet looks up *directly* a particular hostname 
under private.noa.gr zone (e.g. example.private.noa.gr), won't they be 
able to see data about it? Shouldn't we somehow deny all Internet 
requests for that particular zone (in addition to AXFRs), and only allow 
internal requests?


If so, how do we configure PowerDNS (Authoritative) to allow requests 
only from specific IP ranges for that particular zone?


Thanks again,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users