[Pdns-users] pdns & nproxy

Fred Wittekind rom at twister.dyndns.org
Tue Jul 10 17:09:39 UTC 2012


On 7/8/2012 8:31 PM, Fred Wittekind wrote:
> On 07/05/2012 06:00 PM, bert hubert wrote:
>> On Jul 5, 2012, at 8:18 PM, Fred Wittekind wrote:
>>> Then I got this error when trying to start nproxy (IP address
>>> censored):
>>> nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53':
>>> Address already in use
>>>
>>> Which of course makes sense after seeing it, pdns is already binding
>>> to the same IP/port.
>>>
>>> So, my question is this...  Can the functionality of nproxy be
>>> rolled into pdns so that pdns itself can forward the notify to
>>> another instance of pdns (on the master server), or can nproxy and
>>> pdns be made to work on the same IP.   I looked into trying to see
>>> if I could get iptables to split out the notify messages to a
>>> different destination IP so I could put nproxy on a different IP
>>> than pdns, but, I didn't figure out a good (reliable) way to do this.
>> Interesting. The original use case was where the outside world would
>> never be talking to that master, or at least not taking the
>> initiative to do so. So the outside world would think the nproxy IP
>> address was the slave, and nproxy would then relay that to the real
>> slave, which would reach out over TCP to make it happen. I think some
>> NAT trick is used to make sure that the outgoing traffic appears as
>> the address that was notified.
>>
>> If you want to have this integrated, what exactly is your use case?
>> Better protection for the hidden master?
>>
>> Please don't get me wrong, I get the impression what you want is
>> reasonable, but I can't quite wrap my head around your exact
>> requirements.
>>
>> Please let us know!
>>
>>     Bert
>>     PowerDNS
>>
>>
>
> What we are trying to do is have what we call NSMS, which is a server
> that sits behind our firewall, and is the MySQL master db server. 
> Then we are going to have 3 name servers on public IPs that will be
> MySQL slaves of NSMS (what PDNS calls native replication I think).  We
> would then have some type of web interface managing the DNS records on
> NSMS.  This setup covers the need of 90+% of the domains we host.
>
> We have a small handful of domains that we slave from one of our
> client's servers.  The 3 name servers we would have on public IPs
> would be unable to write to there local MySQL instance, because they
> are MySQL slaves, so we would need that notify to be passed on to
> NSMS, which our 3 public name servers can talk to, but our client
> server's can't.
>
> Right now, the client's are configured to send the notify to one of
> our existing 3 public name servers, and it has a script on it that
> intercepts that notify and passes it on to the existing NSMS.  I would
> prefer to avoid solutions that require the clients to change there
> configuration.  Our new PDNS based servers are intended to take over
> the IP addresses of our old name servers.
>
> Looks like it would be pretty easy to re-write one of the SQL queries
> so that the 3 public name servers get back "native" as the replication
> mode for all domains including the ones that NSMS actually slaves off
> a client server.  The trick I think is just going to be getting the
> notify forwarded to NSMS (since it's the only server with MySQL write
> access).
>
> Fred Wittekind
>

I've been looking at the code in nproxy, and the code in pdns that tests
against the trusted-notification-proxy setting, and I see that it tests
that the notify came from the trusted-notification-proxy, and that it
tests that the domain the notify is for has a master, but, I do not see
that it checks that the original notify came from the master, or that
nproxy even passes along that information to pdns.

Am I missing something or am I reading the code correctly?  If I am
reading the code correctly, would it be possible or a good idea for
nproxy to forward along the IP address it received the notify from, and
for pdns to check that IP against the master for the zone?

Fred Wittekind




More information about the Pdns-users mailing list