[Pdns-users] Block AXFR on PipeBackend only
Marcin Deranek
marcin.deranek at booking.com
Fri Oct 11 14:08:02 UTC 2013
Hi,
So far we've been using PowerDNS solely for dynamic DNS resolution
using PipeBackend only, so we had "disable-axfr=yes" in PowerDNS
configuration as there was no need to provide zone transfers.
Currently I'm trying to add static DNS resolution to the very same
instance (using Bind backend) which requires enabling zone transfers,
but I struggle to disable them only for PipeBackend while enabling them
for Bind backend.
So far the "cleanest" approach (or the most compatible with
"disable-axfr=yes" setting we had before) I came up with is to return
nothing on AXFR or SOA query when remote-ip-address=='0.0.0.0' (this is
SOA query which precedes AXFR).
Filtering out query type in pipe-regex has the problem with SOA query
which precedes AXFR especially when you want to support SOA queries.
Does anybody has a better idea ?
Thanx in advance.
Marcin Deranek
More information about the Pdns-users
mailing list