[dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR

Wed Apr 3 21:40:10 UTC 2019

Hello!

I use CentOS latest version. I have two servers (below are not real used
public IP, I don't want to share real ones):

Server 1 - public IP for example 193.91.200.10 - master
Server 2 - public IP for example 193.91.200.20 - slave

I have installed dnsdist, pdns and pdns-recursor latest versions. Below are
my configs for dnsdist, pdns and pdns-recursor for both servers.

Server 1: dnsdist.conf
-------
setLocal('193.91.200.10:53')
setACL({'0.0.0.0/0', '::/0'})

newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('193.91.200.20/32')

addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))

addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
-------

Server 1: pdns.conf
-------
allow-axfr-ips=193.91.200.10/32,193.91.200.20/32
daemon=no
disable-axfr=no
disable-tcp=no
guardian=no
launch=bind
bind-config=/etc/pdns/named.conf
bind-check-interval=300
local-address=127.0.0.1
local-port=5300
master=yes
setgid=pdns
setuid=pdns
-------

Server 1: recursor.conf
-------
allow-from=127.0.0.0/8, 10.0.0.0/8, 193.91.200.10/32, 193.91.200.20/32
dont-query=127.0.0.0/8, 10.0.0.0/8
forward-zones=angelikarossos.com=127.0.0.1:5300
local-address=127.0.0.1
local-port=5301
setgid=pdns-recursor
setuid=pdns-recursor
-------

Server 1: named.conf
-------
options {
        directory "/var/named";
        listen-on { 127.0.0.1:5300; };
        allow-transfer { 193.91.200.10/32; 193.91.200.20/32; };
};

zone "angelikarossos.com" {
        type master;
        file "angelikarossos.com";
};
-------

Server 2: dnsdist.conf
-------
setLocal('193.91.200.20:53')
setACL({'0.0.0.0/0', '::/0'})

newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('193.91.200.10/32')

addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))
-------

Server 2: pdns.conf
-------
allow-axfr-ips=193.91.200.10/32,193.91.200.20/32
daemon=no
disable-axfr=no
disable-tcp=no
guardian=no
launch=bind
bind-config=/etc/pdns/named.conf
bind-check-interval=300
local-address=127.0.0.1
local-port=5300
setgid=pdns
setuid=pdns
slave=yes
-------

Server 2: recursor.conf
-------
allow-from=127.0.0.0/8, 10.0.0.0/8, 193.91.200.10/32, 193.91.200.20/32
dont-query=127.0.0.0/8, 10.0.0.0/8
forward-zones=angelikarossos.com=127.0.0.1:5300
local-address=127.0.0.1
local-port=5301
setgid=pdns-recursor
setuid=pdns-recursor
-------

Server 2: named.conf
-------
options {
        directory "/var/named";
        listen-on { 127.0.0.1:5300; };
        allow-transfer { 193.91.200.10/32; 193.91.200.20/32; };
};

zone "angelikarossos.com" {
        type slave;
        file "angelikarossos.com";
        masters { 193.91.200.10; };
};
-------

When I start services for dnsdist, pdns, pdns-recursor everything is
working great instead AXFR zone transfer from master to slave. I have got
such error information:

Server 2:
pdns_server[12447]: AXFR of domain 'angelikarossos.com' initiated by
127.0.0.1
pdns_server[12447]: AXFR of domain 'angelikarossos.com' denied: client IP
127.0.0.1 has no permission
pdns_server[12447]: AXFR of domain 'angelikarossos.com' failed: 127.0.0.1
cannot request AXFR

When I add to:
Server 1: pdns.conf
-------
allow-axfr-ips=127.0.0.1/32,193.91.200.10/32,193.91.200.20/32
-------

AXFR transfer is completed:
pdns_server[12784]: Domain 'angelikarossos.com' is stale, master serial
2019040302, our serial 2019040301
pdns_server[12784]: Initiating transfer of 'angelikarossos.com' from remote
'193.91.200.10'
pdns_server[12784]: Starting AXFR of 'angelikarossos.com' from remote
193.91.200.10:53
pdns_server[12784]: AXFR started for 'angelikarossos.com'
pdns_server[12784]: AXFR of 'angelikarossos.com' from remote
193.91.200.10:53 done
pdns_server[12784]: Backend transaction started for 'angelikarossos.com'
storage
pdns_server[12784]: Zone 'angelikarossos.com' (/var/named/angelikarossos.com)
reloaded
pdns_server[12784]: AXFR done for 'angelikarossos.com', zone committed with
serial number 2019040302
pdns_server[12784]: Done launching threads, ready to distribute questions

But I have got information, when I test DNS on website https://mxtoolbox.com
:
"dns angelikarossos.com Open Zone Transfer Detected"
So this "Open Zone Transfer" is related with 127.0.0.1/32 in pdns.conf with
line allow-axfr-ips=127.0.0.1/32,193.91.200.10/32,193.91.200.20/32

My question is, how I am suppose to resolve this problem, when I have
dnsdist with public IPs and pdns and pdns-recursor on local IPs on both
servers?

I would be glad for your help and support.

Thank you in advance for your time and effort.

Best regards.

AR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190403/f15a9425/attachment.html>