[dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR

Remi Gacogne remi.gacogne at powerdns.com
Thu Apr 4 10:11:19 UTC 2019 

Hi Angelika,

I would suggest you read [1] first, it explains the issue you are having
and some of the options to fix it.

[1]: https://dnsdist.org/advanced/axfr.html

Best regards,

Remi

On 4/3/19 11:40 PM, angelika rossos wrote:
> Hello!
> 
> I use CentOS latest version. I have two servers (below are not real used
> public IP, I don't want to share real ones):
> 
> Server 1 - public IP for example 193.91.200.10 - master
> Server 2 - public IP for example 193.91.200.20 - slave
> 
> I have installed dnsdist, pdns and pdns-recursor latest versions. Below
> are my configs for dnsdist, pdns and pdns-recursor for both servers.
> 
> Server 1: dnsdist.conf
> -------
> setLocal('193.91.200.10:53 <http://193.91.200.10:53>')
> setACL({'0.0.0.0/0 <http://0.0.0.0/0>', '::/0'})
> 
> newServer({address='127.0.0.1:5300 <http://127.0.0.1:5300>', pool='auth'})
> newServer({address='127.0.0.1:5301 <http://127.0.0.1:5301>',
> pool='recursor'})
> 
> recursive_ips = newNMG()
> recursive_ips:addMask('193.91.200.20/32 <http://193.91.200.20/32>')
> 
> addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
> QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))
> 
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
> -------
> 
> Server 1: pdns.conf
> -------
> allow-axfr-ips=193.91.200.10/32
> <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> daemon=no
> disable-axfr=no
> disable-tcp=no
> guardian=no
> launch=bind
> bind-config=/etc/pdns/named.conf
> bind-check-interval=300
> local-address=127.0.0.1
> local-port=5300
> master=yes
> setgid=pdns
> setuid=pdns
> -------
> 
> Server 1: recursor.conf
> -------
> allow-from=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8
> <http://10.0.0.0/8>, 193.91.200.10/32 <http://193.91.200.10/32>,
> 193.91.200.20/32 <http://193.91.200.20/32>
> dont-query=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8 <http://10.0.0.0/8>
> forward-zones=angelikarossos.com
> <http://angelikarossos.com>=127.0.0.1:5300 <http://127.0.0.1:5300>
> local-address=127.0.0.1
> local-port=5301
> setgid=pdns-recursor
> setuid=pdns-recursor
> -------
> 
> Server 1: named.conf
> -------
> options {
>         directory "/var/named";
>         listen-on { 127.0.0.1:5300 <http://127.0.0.1:5300>; };
>         allow-transfer { 193.91.200.10/32 <http://193.91.200.10/32>;
> 193.91.200.20/32 <http://193.91.200.20/32>; };
> };
> 
> zone "angelikarossos.com <http://angelikarossos.com>" {
>         type master;
>         file "angelikarossos.com <http://angelikarossos.com>";
> };
> -------
> 
> Server 2: dnsdist.conf
> -------
> setLocal('193.91.200.20:53 <http://193.91.200.20:53>')
> setACL({'0.0.0.0/0 <http://0.0.0.0/0>', '::/0'})
> 
> newServer({address='127.0.0.1:5300 <http://127.0.0.1:5300>', pool='auth'})
> newServer({address='127.0.0.1:5301 <http://127.0.0.1:5301>',
> pool='recursor'})
> 
> recursive_ips = newNMG()
> recursive_ips:addMask('193.91.200.10/32 <http://193.91.200.10/32>')
> 
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
> -------
> 
> Server 2: pdns.conf
> -------
> allow-axfr-ips=193.91.200.10/32
> <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> daemon=no
> disable-axfr=no
> disable-tcp=no
> guardian=no
> launch=bind
> bind-config=/etc/pdns/named.conf
> bind-check-interval=300
> local-address=127.0.0.1
> local-port=5300
> setgid=pdns
> setuid=pdns
> slave=yes
> -------
> 
> Server 2: recursor.conf
> -------
> allow-from=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8
> <http://10.0.0.0/8>, 193.91.200.10/32 <http://193.91.200.10/32>,
> 193.91.200.20/32 <http://193.91.200.20/32>
> dont-query=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8 <http://10.0.0.0/8>
> forward-zones=angelikarossos.com
> <http://angelikarossos.com>=127.0.0.1:5300 <http://127.0.0.1:5300>
> local-address=127.0.0.1
> local-port=5301
> setgid=pdns-recursor
> setuid=pdns-recursor
> -------
> 
> Server 2: named.conf
> -------
> options {
>         directory "/var/named";
>         listen-on { 127.0.0.1:5300 <http://127.0.0.1:5300>; };
>         allow-transfer { 193.91.200.10/32 <http://193.91.200.10/32>;
> 193.91.200.20/32 <http://193.91.200.20/32>; };
> };
> 
> zone "angelikarossos.com <http://angelikarossos.com>" {
>         type slave;
>         file "angelikarossos.com <http://angelikarossos.com>";
>         masters { 193.91.200.10; };
> };
> -------
> 
> When I start services for dnsdist, pdns, pdns-recursor everything is
> working great instead AXFR zone transfer from master to slave. I have
> got such error information:
> 
> Server 2:
> pdns_server[12447]: AXFR of domain 'angelikarossos.com
> <http://angelikarossos.com>' initiated by 127.0.0.1
> pdns_server[12447]: AXFR of domain 'angelikarossos.com
> <http://angelikarossos.com>' denied: client IP 127.0.0.1 has no permission
> pdns_server[12447]: AXFR of domain 'angelikarossos.com
> <http://angelikarossos.com>' failed: 127.0.0.1 cannot request AXFR
> 
> When I add to:
> Server 1: pdns.conf
> -------
> allow-axfr-ips=127.0.0.1/32 <http://127.0.0.1/32>,193.91.200.10/32
> <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> -------
> 
> AXFR transfer is completed:
> pdns_server[12784]: Domain 'angelikarossos.com
> <http://angelikarossos.com>' is stale, master serial 2019040302, our
> serial 2019040301
> pdns_server[12784]: Initiating transfer of 'angelikarossos.com
> <http://angelikarossos.com>' from remote '193.91.200.10'
> pdns_server[12784]: Starting AXFR of 'angelikarossos.com
> <http://angelikarossos.com>' from remote 193.91.200.10:53
> <http://193.91.200.10:53>
> pdns_server[12784]: AXFR started for 'angelikarossos.com
> <http://angelikarossos.com>'
> pdns_server[12784]: AXFR of 'angelikarossos.com
> <http://angelikarossos.com>' from remote 193.91.200.10:53
> <http://193.91.200.10:53> done
> pdns_server[12784]: Backend transaction started for 'angelikarossos.com
> <http://angelikarossos.com>' storage
> pdns_server[12784]: Zone 'angelikarossos.com
> <http://angelikarossos.com>' (/var/named/angelikarossos.com
> <http://angelikarossos.com>) reloaded
> pdns_server[12784]: AXFR done for 'angelikarossos.com
> <http://angelikarossos.com>', zone committed with serial number 2019040302
> pdns_server[12784]: Done launching threads, ready to distribute questions
> 
> But I have got information, when I test DNS on
> website https://mxtoolbox.com:
> "dns angelikarossos.com <http://angelikarossos.com> Open Zone Transfer
> Detected"
> So this "Open Zone Transfer" is related with 127.0.0.1/32
> <http://127.0.0.1/32> in pdns.conf with line allow-axfr-ips=127.0.0.1/32
> <http://127.0.0.1/32>,193.91.200.10/32
> <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> 
> My question is, how I am suppose to resolve this problem, when I have
> dnsdist with public IPs and pdns and pdns-recursor on local IPs on both
> servers?
> 
> I would be glad for your help and support.
> 
> Thank you in advance for your time and effort.
> 
> Best regards.
> 
> AR
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
> 


-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190404/7154010c/attachment-0001.sig>

More information about the dnsdist mailing list