[dnsdist] Using dnsdist in front of powerdns secondaries

Sylvain Baya abscoco at gmail.com
Tue Jun 7 16:56:09 UTC 2022 

Dear dnsdist-ers,
Hope this email finds you in good health!

Please see my comments below, inline...

Le mardi 7 juin 2022, Adrian Kägi via dnsdist <dnsdist at mailman.powerdns.com>
a écrit :

> Hi
> Maybe i did not understand correct,


>

Hi Adrian,
Thanks for your email, brother.



>
>
> but the AXFR zone transfer from primary to secondary should not be routed
> via DNSdist.


>

Exactly! it *should not*...see below, please:

<paste1>

"AXFR, IXFR and NOTIFY¶
When dnsdist is deployed in front of a primary authoritative server, it
might receive AXFR or IXFR queries destined to this primary. There are two
issues that can arise in this kind of setup:

• If the primary is part of a pool of servers, the first SOA query can be
directed by dnsdist to a different server than the following AXFR/IXFR one,
which might fail if the servers are not perfectly synchronised.
• If the primary only allows AXFR/IXFR based on the source address of the
requestor, it might be confused by the fact that the source address will be
the one from the dnsdist server."
</paste1>
https://dnsdist.org/advanced/axfr.html#:~:text=AXFR%2C%20IXFR%20and,the%20dnsdist%20server.



>
> from my point of view, makes no sense.
>
>

...imho! it's not that it *must not* be routed through
dnsdist.
Maybe you should see if you want to do the
implement following two solutions:

<paste2>
"

• The first issue can be solved by routing SOA, AXFR and IXFR requests
explicitly to the primary:

<code1>newServer({address="192.168.1.2", name="primary", pool={"primary",
"otherpool"}})
addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR),
QTypeRule(DNSQType.IXFR)}), PoolAction("primary"))<code1>

• The second one might require allowing AXFR/IXFR from the dnsdist source
address and moving the source address check to dnsdist’s side:

<code2>addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR),
QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("192.168.1.0/24"))}),
RCodeAction(DNSRCode.REFUSED))</code2>
"
</paste2>
https://dnsdist.org/advanced/axfr.html#:~:text=The%20first%20issue,.REFUSED))


Hope this helps!

Shalom,
--sb.



>
>
> Cheers
>
>
> On Tue. 7. June 2022 10:02 CEST, Lucas Rolff via dnsdist <
> dnsdist at mailman.powerdns.com> wrote:
>
>
> [...]
>
>

-- 

Best Regards !
__
baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure>
Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/>
__
#‎LASAINTEBIBLE‬|#‎Romains15‬:33«Que LE ‪#‎DIEU‬ de ‪#‎Paix‬ soit avec vous
tous! ‪#‎Amen‬!»
‪#‎MaPrière‬ est que tu naisses de nouveau. #Chrétiennement‬
«Comme une biche soupire après des courants d’eau, ainsi mon âme soupire
après TOI, ô DIEU!»(#Psaumes42:2)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220607/8e9ae88b/attachment.htm>

More information about the dnsdist mailing list