[Pdns-users] Block AXFR on PipeBackend only

Brendan Oakley gentux2 at gmail.com
Fri Oct 11 16:32:27 UTC 2013


Hi Marcin,

Depending on your application, the allow-axfr-ips option might be useful to
fence this off.

Brendan


On Fri, Oct 11, 2013 at 7:08 AM, Marcin Deranek
<marcin.deranek at booking.com>wrote:

> Hi,
>
> So far we've been using PowerDNS solely for dynamic DNS resolution
> using PipeBackend only, so we had "disable-axfr=yes" in PowerDNS
> configuration as there was no need to provide zone transfers.
> Currently I'm trying to add static DNS resolution to the very same
> instance (using Bind backend) which requires enabling zone transfers,
> but I struggle to disable them only for PipeBackend while enabling them
> for Bind backend.
>
> So far the "cleanest" approach (or the most compatible with
> "disable-axfr=yes" setting we had before) I came up with is to return
> nothing on AXFR or SOA query when remote-ip-address=='0.0.0.0' (this is
> SOA query which precedes AXFR).
> Filtering out query type in pipe-regex has the problem with SOA query
> which precedes AXFR especially when you want to support SOA queries.
> Does anybody has a better idea ?
> Thanx in advance.
>
> Marcin Deranek
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131011/a50a84d6/attachment-0001.html>


More information about the Pdns-users mailing list