[Pdns-users] pdns & nproxy (solution)

Fred Wittekind rom at twister.dyndns.org
Tue Jul 17 17:41:45 UTC 2012 

On 7/10/2012 1:09 PM, Fred Wittekind wrote:
> On 7/8/2012 8:31 PM, Fred Wittekind wrote:
>> On 07/05/2012 06:00 PM, bert hubert wrote:
>>> On Jul 5, 2012, at 8:18 PM, Fred Wittekind wrote:
>>>> Then I got this error when trying to start nproxy (IP address
>>>> censored):
>>>> nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53':
>>>> Address already in use
>>>>
>>>> Which of course makes sense after seeing it, pdns is already binding
>>>> to the same IP/port.
>>>>
>>>> So, my question is this...  Can the functionality of nproxy be
>>>> rolled into pdns so that pdns itself can forward the notify to
>>>> another instance of pdns (on the master server), or can nproxy and
>>>> pdns be made to work on the same IP.   I looked into trying to see
>>>> if I could get iptables to split out the notify messages to a
>>>> different destination IP so I could put nproxy on a different IP
>>>> than pdns, but, I didn't figure out a good (reliable) way to do this.
>>> Interesting. The original use case was where the outside world would
>>> never be talking to that master, or at least not taking the
>>> initiative to do so. So the outside world would think the nproxy IP
>>> address was the slave, and nproxy would then relay that to the real
>>> slave, which would reach out over TCP to make it happen. I think some
>>> NAT trick is used to make sure that the outgoing traffic appears as
>>> the address that was notified.
>>>
>>> If you want to have this integrated, what exactly is your use case?
>>> Better protection for the hidden master?
>>>
>>> Please don't get me wrong, I get the impression what you want is
>>> reasonable, but I can't quite wrap my head around your exact
>>> requirements.
>>>
>>> Please let us know!
>>>
>>>     Bert
>>>     PowerDNS
>>>
>>>
>> What we are trying to do is have what we call NSMS, which is a server
>> that sits behind our firewall, and is the MySQL master db server. 
>> Then we are going to have 3 name servers on public IPs that will be
>> MySQL slaves of NSMS (what PDNS calls native replication I think).  We
>> would then have some type of web interface managing the DNS records on
>> NSMS.  This setup covers the need of 90+% of the domains we host.
>>
>> We have a small handful of domains that we slave from one of our
>> client's servers.  The 3 name servers we would have on public IPs
>> would be unable to write to there local MySQL instance, because they
>> are MySQL slaves, so we would need that notify to be passed on to
>> NSMS, which our 3 public name servers can talk to, but our client
>> server's can't.
>>
>> Right now, the client's are configured to send the notify to one of
>> our existing 3 public name servers, and it has a script on it that
>> intercepts that notify and passes it on to the existing NSMS.  I would
>> prefer to avoid solutions that require the clients to change there
>> configuration.  Our new PDNS based servers are intended to take over
>> the IP addresses of our old name servers.
>>
>> Looks like it would be pretty easy to re-write one of the SQL queries
>> so that the 3 public name servers get back "native" as the replication
>> mode for all domains including the ones that NSMS actually slaves off
>> a client server.  The trick I think is just going to be getting the
>> notify forwarded to NSMS (since it's the only server with MySQL write
>> access).
>>
>> Fred Wittekind
>>
> I've been looking at the code in nproxy, and the code in pdns that tests
> against the trusted-notification-proxy setting, and I see that it tests
> that the notify came from the trusted-notification-proxy, and that it
> tests that the domain the notify is for has a master, but, I do not see
> that it checks that the original notify came from the master, or that
> nproxy even passes along that information to pdns.
>
> Am I missing something or am I reading the code correctly?  If I am
> reading the code correctly, would it be possible or a good idea for
> nproxy to forward along the IP address it received the notify from, and
> for pdns to check that IP against the master for the zone?
>
> Fred Wittekind
>

Using PDNS 3.1

Need patches from:
http://wiki.powerdns.com/trac/ticket/532
http://wiki.powerdns.com/trac/ticket/534

IP Address place holders:
MySQL Master Server / Hidden PDNS Master: a.a.a.a
Public Facing name server IP: b.b.b.b

This config is for public facing name server:
iptables -A INPUT -d b.b.b.b -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -d b.b.b.b -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING ! --fragment -m u32 --u32
"0>>22&0x3C at 8>>11&0xF=4" -d b.b.b.b -p udp --dport 53 -j DNAT
--to-destination :5353
iptables -t nat -A PREROUTING -s a.a.a.a -d b.b.b.b -p udp --dport 53 -j
DNAT --to-destination :5353
nproxy --powerdns-address a.a.a.a --listen-address b.b.b.b --listen-port
5353

I'm going to refine the rules a little more so that it includes NOTRACK
rules, but, as it sits, it does work with connection tracking turned on.

Fred Wittekind

More information about the Pdns-users mailing list