<html><head></head><body><div>Hello folks,</div><div><br></div><div>More than 20 hours I'm fighting with dnsdist-1.8 with AXFR which drives me crazy. 100% of all google result related to AXFR have been tested and found not working or related to very old dnsdist....<br></div><div>I'm completely lost and have hundreds of configurations...</div><div>The goal is: <br></div><div>1. ISP is AXFR single arpa zone from specific allowed IP addresses.<br></div><div>2. Samba active directory DNS does AXFR of single domain from specific two IP addresses;</div><div>3. Second core DNS server has access to every domain for AXFR.</div><div><br></div><div>Your help would be greatly appreciated!</div><div><br></div><div>Regards,</div><div>Pavel.<br></div><div><br></div><div>Below configuration matches every IP and allows AXFR to every IP address but I need to control which IP what could transfer by IP address and domain except for Core DNS who should have access to all zones.<br></div><div><br></div><br><div>#cat /etc/dnsdist/conf.d/axfr.conf</div><div><br></div><div><br></div>trusted_servers = newNMG()<br>trusted_servers:addMask("10.0.20.1/32")<br>trusted_servers:addMask("10.0.20.2/32")<br>trusted_servers:addMask("192.168.4.9/32")<br><br>isp1_servers = newNMG()<br>isp1_servers:addMask("216.77.2.1/32")<br>isp1_servers:addMask("216.77.2.6/32")<br><br>global_second_dns = newNMG()<br>global_second_dns:addMask("172.16.0.2/32")<br><br>authdomains_internal = newSuffixMatchNode()<br><div>authdomains_internal:add(newDNSName("adc.local."))</div><div>authdomains_internal:add(newDNSName("lab.adc.local."))</div><br>reverse_records = newSuffixMatchNode()<br><div>reverse_records:add(newDNSName("4.80.212.in-addr.arpa."))</div><div>reverse_records:add(newDNSName("4.81.212.in-addr.arpa."))</div><div>reverse_records:add(newDNSName("4.83.212.in-addr.arpa."))</div><div><br></div><div>-- Match Samba Servers<br></div><div> addAction(<br>   OrRule({<br>    QTypeRule(DNSQType.SOA),<br>    NetmaskGroupRule(trusted_servers),<br>    SuffixMatchNodeRule(authdomains_internal),<br>    QTypeRule(DNSQType.AXFR),<br>    QTypeRule(DNSQType.IXFR)}),<br>    PoolAction("Primary-AXFR")<br>)<br>RCodeAction(DNSRCode.REFUSED)<br></div><div><br></div><div><div>-- Match ISP Servers<br></div><div> addAction(<br>   OrRule({<br>    QTypeRule(DNSQType.SOA),<br>    NetmaskGroupRule(isp1_servers),<br>    SuffixMatchNodeRule(reverse_records),<br>    QTypeRule(DNSQType.AXFR),<br>    QTypeRule(DNSQType.IXFR)}),<br>    PoolAction("Primary-AXFR")<br>)<br>RCodeAction(DNSRCode.REFUSED)<br></div><div><br></div><div><div><br></div><div>-- Match Core DNS<br></div> addAction(<br>   OrRule({<br>    QTypeRule(DNSQType.SOA),<br>    NetmaskGroupRule(global_second_dns),<br>    QTypeRule(DNSQType.AXFR),<br>    QTypeRule(DNSQType.IXFR)}),<br>    PoolAction("Primary-AXFR")<br>)<br>RCodeAction(DNSRCode.REFUSED)</div><div><br></div></div><div>-- Second Global DNS<br>addAction(<br>   AndRule({<br>    NotRule(NetmaskGroupRule(global_second_dns)),<br>    OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)})<br>  }),<br>  DropAction()<br>)</div><div><br></div><div>-- Samba Active Directory<br>addAction(<br>   AndRule({<br>    NotRule(NetmaskGroupRule(trusted_servers)),<br>    SuffixMatchNodeRule(authdomains_internal),<br>    OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)})<br>  }),<br>  DropAction()<br>)<div><br><br></div></div><div>-- ISP reverse records<br>addAction(<br>   AndRule({<br>    NotRule(NetmaskGroupRule(isp1_servers)),<br>    SuffixMatchNodeRule(reverse_records),<br>    OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)})<br>  }),<br>  DropAction()<br>)</div><div><br></div>-- Allow NOTIFY (only DNS-Slave)<br><div>addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("10.0.20.1/32"))}), RCodeAction(DNSRCode.REFUSED))<br></div><div>addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("216.77.2.1/32"))}), RCodeAction(DNSRCode.REFUSED))</div><div><br></div><div><br></div></body></html>