[dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR
angelika rossos
angelikarossos at gmail.com
Wed Apr 3 21:40:10 UTC 2019
Hello!
I use CentOS latest version. I have two servers (below are not real used
public IP, I don't want to share real ones):
Server 1 - public IP for example 193.91.200.10 - master
Server 2 - public IP for example 193.91.200.20 - slave
I have installed dnsdist, pdns and pdns-recursor latest versions. Below are
my configs for dnsdist, pdns and pdns-recursor for both servers.
Server 1: dnsdist.conf
-------
setLocal('193.91.200.10:53')
setACL({'0.0.0.0/0', '::/0'})
newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('193.91.200.20/32')
addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
-------
Server 1: pdns.conf
-------
allow-axfr-ips=193.91.200.10/32,193.91.200.20/32
daemon=no
disable-axfr=no
disable-tcp=no
guardian=no
launch=bind
bind-config=/etc/pdns/named.conf
bind-check-interval=300
local-address=127.0.0.1
local-port=5300
master=yes
setgid=pdns
setuid=pdns
-------
Server 1: recursor.conf
-------
allow-from=127.0.0.0/8, 10.0.0.0/8, 193.91.200.10/32, 193.91.200.20/32
dont-query=127.0.0.0/8, 10.0.0.0/8
forward-zones=angelikarossos.com=127.0.0.1:5300
local-address=127.0.0.1
local-port=5301
setgid=pdns-recursor
setuid=pdns-recursor
-------
Server 1: named.conf
-------
options {
directory "/var/named";
listen-on { 127.0.0.1:5300; };
allow-transfer { 193.91.200.10/32; 193.91.200.20/32; };
};
zone "angelikarossos.com" {
type master;
file "angelikarossos.com";
};
-------
Server 2: dnsdist.conf
-------
setLocal('193.91.200.20:53')
setACL({'0.0.0.0/0', '::/0'})
newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})
recursive_ips = newNMG()
recursive_ips:addMask('193.91.200.10/32')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
-------
Server 2: pdns.conf
-------
allow-axfr-ips=193.91.200.10/32,193.91.200.20/32
daemon=no
disable-axfr=no
disable-tcp=no
guardian=no
launch=bind
bind-config=/etc/pdns/named.conf
bind-check-interval=300
local-address=127.0.0.1
local-port=5300
setgid=pdns
setuid=pdns
slave=yes
-------
Server 2: recursor.conf
-------
allow-from=127.0.0.0/8, 10.0.0.0/8, 193.91.200.10/32, 193.91.200.20/32
dont-query=127.0.0.0/8, 10.0.0.0/8
forward-zones=angelikarossos.com=127.0.0.1:5300
local-address=127.0.0.1
local-port=5301
setgid=pdns-recursor
setuid=pdns-recursor
-------
Server 2: named.conf
-------
options {
directory "/var/named";
listen-on { 127.0.0.1:5300; };
allow-transfer { 193.91.200.10/32; 193.91.200.20/32; };
};
zone "angelikarossos.com" {
type slave;
file "angelikarossos.com";
masters { 193.91.200.10; };
};
-------
When I start services for dnsdist, pdns, pdns-recursor everything is
working great instead AXFR zone transfer from master to slave. I have got
such error information:
Server 2:
pdns_server[12447]: AXFR of domain 'angelikarossos.com' initiated by
127.0.0.1
pdns_server[12447]: AXFR of domain 'angelikarossos.com' denied: client IP
127.0.0.1 has no permission
pdns_server[12447]: AXFR of domain 'angelikarossos.com' failed: 127.0.0.1
cannot request AXFR
When I add to:
Server 1: pdns.conf
-------
allow-axfr-ips=127.0.0.1/32,193.91.200.10/32,193.91.200.20/32
-------
AXFR transfer is completed:
pdns_server[12784]: Domain 'angelikarossos.com' is stale, master serial
2019040302, our serial 2019040301
pdns_server[12784]: Initiating transfer of 'angelikarossos.com' from remote
'193.91.200.10'
pdns_server[12784]: Starting AXFR of 'angelikarossos.com' from remote
193.91.200.10:53
pdns_server[12784]: AXFR started for 'angelikarossos.com'
pdns_server[12784]: AXFR of 'angelikarossos.com' from remote
193.91.200.10:53 done
pdns_server[12784]: Backend transaction started for 'angelikarossos.com'
storage
pdns_server[12784]: Zone 'angelikarossos.com' (/var/named/angelikarossos.com)
reloaded
pdns_server[12784]: AXFR done for 'angelikarossos.com', zone committed with
serial number 2019040302
pdns_server[12784]: Done launching threads, ready to distribute questions
But I have got information, when I test DNS on website https://mxtoolbox.com
:
"dns angelikarossos.com Open Zone Transfer Detected"
So this "Open Zone Transfer" is related with 127.0.0.1/32 in pdns.conf with
line allow-axfr-ips=127.0.0.1/32,193.91.200.10/32,193.91.200.20/32
My question is, how I am suppose to resolve this problem, when I have
dnsdist with public IPs and pdns and pdns-recursor on local IPs on both
servers?
I would be glad for your help and support.
Thank you in advance for your time and effort.
Best regards.
AR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190403/f15a9425/attachment.html>
More information about the dnsdist
mailing list