[dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR

angelika rossos angelikarossos at gmail.com
Thu Apr 4 10:40:32 UTC 2019 

Hello Remi :)

Thank you for your fast reply and time. So I checked your site with:
-------
newServer({address="192.168.1.2", name="master", pool={"master",
"otherpool"}})
addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), PoolAction("master"))

addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("192.168.1.0/24"))}),
RCodeAction(dnsdist.REFUSED))

addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("
192.168.1.0/24"))}), RCodeAction(dnsdist.REFUSED))
-------

So in my case, which of above should go to Server 1 (Master) and which to
Server 2 (Slave)?

If my Server 1 (Master) is 193.91.200.10, should I add to Server 1
dnsdist.conf:
-------
newServer({address="193.91.200.10", name="master", pool={"master",
"otherpool"}})
addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), PoolAction("master"))
------

Should I add below to my Server 2 (Slave) with 193.91.200.20:
-------
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("193.91.200.20/32"))}),
RCodeAction(dnsdist.REFUSED))
-------

May you be so kind and look in to my case and help me to figure it out? I
am smiling to you with very wide open eyes :)

Best regards.
AR

czw., 4 kwi 2019 o 12:11 Remi Gacogne <remi.gacogne at powerdns.com>
napisaƂ(a):

> Hi Angelika,
>
> I would suggest you read [1] first, it explains the issue you are having
> and some of the options to fix it.
>
> [1]: https://dnsdist.org/advanced/axfr.html
>
> Best regards,
>
> Remi
>
> On 4/3/19 11:40 PM, angelika rossos wrote:
> > Hello!
> >
> > I use CentOS latest version. I have two servers (below are not real used
> > public IP, I don't want to share real ones):
> >
> > Server 1 - public IP for example 193.91.200.10 - master
> > Server 2 - public IP for example 193.91.200.20 - slave
> >
> > I have installed dnsdist, pdns and pdns-recursor latest versions. Below
> > are my configs for dnsdist, pdns and pdns-recursor for both servers.
> >
> > Server 1: dnsdist.conf
> > -------
> > setLocal('193.91.200.10:53 <http://193.91.200.10:53>')
> > setACL({'0.0.0.0/0 <http://0.0.0.0/0>', '::/0'})
> >
> > newServer({address='127.0.0.1:5300 <http://127.0.0.1:5300>',
> pool='auth'})
> > newServer({address='127.0.0.1:5301 <http://127.0.0.1:5301>',
> > pool='recursor'})
> >
> > recursive_ips = newNMG()
> > recursive_ips:addMask('193.91.200.20/32 <http://193.91.200.20/32>')
> >
> > addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
> > QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))
> >
> > addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> > addAction(AllRule(), PoolAction('auth'))
> > -------
> >
> > Server 1: pdns.conf
> > -------
> > allow-axfr-ips=193.91.200.10/32
> > <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> > daemon=no
> > disable-axfr=no
> > disable-tcp=no
> > guardian=no
> > launch=bind
> > bind-config=/etc/pdns/named.conf
> > bind-check-interval=300
> > local-address=127.0.0.1
> > local-port=5300
> > master=yes
> > setgid=pdns
> > setuid=pdns
> > -------
> >
> > Server 1: recursor.conf
> > -------
> > allow-from=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8
> > <http://10.0.0.0/8>, 193.91.200.10/32 <http://193.91.200.10/32>,
> > 193.91.200.20/32 <http://193.91.200.20/32>
> > dont-query=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8 <
> http://10.0.0.0/8>
> > forward-zones=angelikarossos.com
> > <http://angelikarossos.com>=127.0.0.1:5300 <http://127.0.0.1:5300>
> > local-address=127.0.0.1
> > local-port=5301
> > setgid=pdns-recursor
> > setuid=pdns-recursor
> > -------
> >
> > Server 1: named.conf
> > -------
> > options {
> >         directory "/var/named";
> >         listen-on { 127.0.0.1:5300 <http://127.0.0.1:5300>; };
> >         allow-transfer { 193.91.200.10/32 <http://193.91.200.10/32>;
> > 193.91.200.20/32 <http://193.91.200.20/32>; };
> > };
> >
> > zone "angelikarossos.com <http://angelikarossos.com>" {
> >         type master;
> >         file "angelikarossos.com <http://angelikarossos.com>";
> > };
> > -------
> >
> > Server 2: dnsdist.conf
> > -------
> > setLocal('193.91.200.20:53 <http://193.91.200.20:53>')
> > setACL({'0.0.0.0/0 <http://0.0.0.0/0>', '::/0'})
> >
> > newServer({address='127.0.0.1:5300 <http://127.0.0.1:5300>',
> pool='auth'})
> > newServer({address='127.0.0.1:5301 <http://127.0.0.1:5301>',
> > pool='recursor'})
> >
> > recursive_ips = newNMG()
> > recursive_ips:addMask('193.91.200.10/32 <http://193.91.200.10/32>')
> >
> > addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> > addAction(AllRule(), PoolAction('auth'))
> > -------
> >
> > Server 2: pdns.conf
> > -------
> > allow-axfr-ips=193.91.200.10/32
> > <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> > daemon=no
> > disable-axfr=no
> > disable-tcp=no
> > guardian=no
> > launch=bind
> > bind-config=/etc/pdns/named.conf
> > bind-check-interval=300
> > local-address=127.0.0.1
> > local-port=5300
> > setgid=pdns
> > setuid=pdns
> > slave=yes
> > -------
> >
> > Server 2: recursor.conf
> > -------
> > allow-from=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8
> > <http://10.0.0.0/8>, 193.91.200.10/32 <http://193.91.200.10/32>,
> > 193.91.200.20/32 <http://193.91.200.20/32>
> > dont-query=127.0.0.0/8 <http://127.0.0.0/8>, 10.0.0.0/8 <
> http://10.0.0.0/8>
> > forward-zones=angelikarossos.com
> > <http://angelikarossos.com>=127.0.0.1:5300 <http://127.0.0.1:5300>
> > local-address=127.0.0.1
> > local-port=5301
> > setgid=pdns-recursor
> > setuid=pdns-recursor
> > -------
> >
> > Server 2: named.conf
> > -------
> > options {
> >         directory "/var/named";
> >         listen-on { 127.0.0.1:5300 <http://127.0.0.1:5300>; };
> >         allow-transfer { 193.91.200.10/32 <http://193.91.200.10/32>;
> > 193.91.200.20/32 <http://193.91.200.20/32>; };
> > };
> >
> > zone "angelikarossos.com <http://angelikarossos.com>" {
> >         type slave;
> >         file "angelikarossos.com <http://angelikarossos.com>";
> >         masters { 193.91.200.10; };
> > };
> > -------
> >
> > When I start services for dnsdist, pdns, pdns-recursor everything is
> > working great instead AXFR zone transfer from master to slave. I have
> > got such error information:
> >
> > Server 2:
> > pdns_server[12447]: AXFR of domain 'angelikarossos.com
> > <http://angelikarossos.com>' initiated by 127.0.0.1
> > pdns_server[12447]: AXFR of domain 'angelikarossos.com
> > <http://angelikarossos.com>' denied: client IP 127.0.0.1 has no
> permission
> > pdns_server[12447]: AXFR of domain 'angelikarossos.com
> > <http://angelikarossos.com>' failed: 127.0.0.1 cannot request AXFR
> >
> > When I add to:
> > Server 1: pdns.conf
> > -------
> > allow-axfr-ips=127.0.0.1/32 <http://127.0.0.1/32>,193.91.200.10/32
> > <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> > -------
> >
> > AXFR transfer is completed:
> > pdns_server[12784]: Domain 'angelikarossos.com
> > <http://angelikarossos.com>' is stale, master serial 2019040302, our
> > serial 2019040301
> > pdns_server[12784]: Initiating transfer of 'angelikarossos.com
> > <http://angelikarossos.com>' from remote '193.91.200.10'
> > pdns_server[12784]: Starting AXFR of 'angelikarossos.com
> > <http://angelikarossos.com>' from remote 193.91.200.10:53
> > <http://193.91.200.10:53>
> > pdns_server[12784]: AXFR started for 'angelikarossos.com
> > <http://angelikarossos.com>'
> > pdns_server[12784]: AXFR of 'angelikarossos.com
> > <http://angelikarossos.com>' from remote 193.91.200.10:53
> > <http://193.91.200.10:53> done
> > pdns_server[12784]: Backend transaction started for 'angelikarossos.com
> > <http://angelikarossos.com>' storage
> > pdns_server[12784]: Zone 'angelikarossos.com
> > <http://angelikarossos.com>' (/var/named/angelikarossos.com
> > <http://angelikarossos.com>) reloaded
> > pdns_server[12784]: AXFR done for 'angelikarossos.com
> > <http://angelikarossos.com>', zone committed with serial number
> 2019040302
> > pdns_server[12784]: Done launching threads, ready to distribute questions
> >
> > But I have got information, when I test DNS on
> > website https://mxtoolbox.com:
> > "dns angelikarossos.com <http://angelikarossos.com> Open Zone Transfer
> > Detected"
> > So this "Open Zone Transfer" is related with 127.0.0.1/32
> > <http://127.0.0.1/32> in pdns.conf with line allow-axfr-ips=127.0.0.1/32
> > <http://127.0.0.1/32>,193.91.200.10/32
> > <http://193.91.200.10/32>,193.91.200.20/32 <http://193.91.200.20/32>
> >
> > My question is, how I am suppose to resolve this problem, when I have
> > dnsdist with public IPs and pdns and pdns-recursor on local IPs on both
> > servers?
> >
> > I would be glad for your help and support.
> >
> > Thank you in advance for your time and effort.
> >
> > Best regards.
> >
> > AR
> >
> > _______________________________________________
> > dnsdist mailing list
> > dnsdist at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/dnsdist
> >
>
>
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20190404/15a4dc44/attachment-0001.html>

More information about the dnsdist mailing list