[dnsdist] DNSdist with AXFR drives me crazy

Pavel Stoyanov pavel.stoyanov at rack.bg
Mon May 2 17:52:02 UTC 2022 

Hello folks,


More than 20 hours I'm fighting with dnsdist-1.8 with AXFR which drives me crazy. 100% of all google result related to AXFR have been tested and found not working or related to very old dnsdist....

I'm completely lost and have hundreds of configurations...
The goal is: 

1. ISP is AXFR single arpa zone from specific allowed IP addresses.

2. Samba active directory DNS does AXFR of single domain from specific two IP addresses;
3. Second core DNS server has access to every domain for AXFR.


Your help would be greatly appreciated!


Regards,
Pavel.



Below configuration matches every IP and allows AXFR to every IP address but I need to control which IP what could transfer by IP address and domain except for Core DNS who should have access to all zones.




#cat /etc/dnsdist/conf.d/axfr.conf



trusted_servers = newNMG()
trusted_servers:addMask("10.0.20.1/32")
trusted_servers:addMask("10.0.20.2/32")
trusted_servers:addMask("192.168.4.9/32")

isp1_servers = newNMG()
isp1_servers:addMask("216.77.2.1/32")
isp1_servers:addMask("216.77.2.6/32")

global_second_dns = newNMG()
global_second_dns:addMask("172.16.0.2/32")

authdomains_internal = newSuffixMatchNode()

authdomains_internal:add(newDNSName("adc.local."))
authdomains_internal:add(newDNSName("lab.adc.local."))
reverse_records = newSuffixMatchNode()

reverse_records:add(newDNSName("4.80.212.in-addr.arpa."))
reverse_records:add(newDNSName("4.81.212.in-addr.arpa."))
reverse_records:add(newDNSName("4.83.212.in-addr.arpa."))


-- Match Samba Servers

 addAction(
   OrRule({
    QTypeRule(DNSQType.SOA),
    NetmaskGroupRule(trusted_servers),
    SuffixMatchNodeRule(authdomains_internal),
    QTypeRule(DNSQType.AXFR),
    QTypeRule(DNSQType.IXFR)}),
    PoolAction("Primary-AXFR")
)
RCodeAction(DNSRCode.REFUSED)




-- Match ISP Servers

 addAction(
   OrRule({
    QTypeRule(DNSQType.SOA),
    NetmaskGroupRule(isp1_servers),
    SuffixMatchNodeRule(reverse_records),
    QTypeRule(DNSQType.AXFR),
    QTypeRule(DNSQType.IXFR)}),
    PoolAction("Primary-AXFR")
)
RCodeAction(DNSRCode.REFUSED)






-- Match Core DNS
 addAction(
   OrRule({
    QTypeRule(DNSQType.SOA),
    NetmaskGroupRule(global_second_dns),
    QTypeRule(DNSQType.AXFR),
    QTypeRule(DNSQType.IXFR)}),
    PoolAction("Primary-AXFR")
)
RCodeAction(DNSRCode.REFUSED)


-- Second Global DNS
addAction(
   AndRule({
    NotRule(NetmaskGroupRule(global_second_dns)),
    OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)})
  }),
  DropAction()
)


-- Samba Active Directory
addAction(
   AndRule({
    NotRule(NetmaskGroupRule(trusted_servers)),
    SuffixMatchNodeRule(authdomains_internal),
    OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)})
  }),
  DropAction()
)



-- ISP reverse records
addAction(
   AndRule({
    NotRule(NetmaskGroupRule(isp1_servers)),
    SuffixMatchNodeRule(reverse_records),
    OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)})
  }),
  DropAction()
)

-- Allow NOTIFY (only DNS-Slave)

addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("10.0.20.1/32"))}), RCodeAction(DNSRCode.REFUSED))

addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("216.77.2.1/32"))}), RCodeAction(DNSRCode.REFUSED))



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220502/341569c4/attachment.htm>

More information about the dnsdist mailing list