[Pdns-users] Block AXFR on PipeBackend only
gentux2 at gmail.com
Fri Oct 11 16:32:27 UTC 2013
Depending on your application, the allow-axfr-ips option might be useful to
fence this off.
On Fri, Oct 11, 2013 at 7:08 AM, Marcin Deranek
<marcin.deranek at booking.com>wrote:
> So far we've been using PowerDNS solely for dynamic DNS resolution
> using PipeBackend only, so we had "disable-axfr=yes" in PowerDNS
> configuration as there was no need to provide zone transfers.
> Currently I'm trying to add static DNS resolution to the very same
> instance (using Bind backend) which requires enabling zone transfers,
> but I struggle to disable them only for PipeBackend while enabling them
> for Bind backend.
> So far the "cleanest" approach (or the most compatible with
> "disable-axfr=yes" setting we had before) I came up with is to return
> nothing on AXFR or SOA query when remote-ip-address=='0.0.0.0' (this is
> SOA query which precedes AXFR).
> Filtering out query type in pipe-regex has the problem with SOA query
> which precedes AXFR especially when you want to support SOA queries.
> Does anybody has a better idea ?
> Thanx in advance.
> Marcin Deranek
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users