IP addresses for DNS validation

I’m well aware of the LE policy of not publishing the source IP addresses used for validation, and I understand the reasons behind it.
However, for those using DNS validation and running their own DNS server for validation purposes only, it would be nice to be able to not leave port 53 open to the world, but only to LE IP addresses.
My current workaround is to spin up the DNS server just before validation, add the challenge records, and shut it down afterwards, but as the number of times I have to do that in a day grows (lots of domains etc.) it would be nice if it could be left always up.
Thanks for any suggestions.

Why not make automate it with your ACME client? e.g. with Certbot:

--pre-hook "ufw allow 53" --post-hook "ufw deny 53"

Ok, that could be an option I guess, however I think it may lead to race conditions in case multiple instances of the client are running at the same time. With my current workaround I have a set of wrapper scripts that use locking to avoid shutting down the server if another instance is running, so I’d have to replicate this setup to add/remove firewall rules, but then it wouldn’t be less cumbersome.

True, that could be a concern. For what it’s worth, Certbot doesn’t have that issue - it holds a file lock for its entire runtime.

I don’t think that your request warrants the IPs being published, though. Even if they were, they change over time. So you’d need additional automation to update your ACLs …

1 Like

I figured as much, as we’re probably a niche audience, but I thought I’d ask just in case. Thanks!

And like…it’s a DNS server. Millions of them live on the Internet with zero ACLs that limit who can query from them. It’s kind of their whole purpose. Why is yours any different?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.