[Pdns-users] Block AXFR on PipeBackend only
cmouse at youzen.ext.b2.fi
Fri Oct 11 18:01:02 UTC 2013
Are you actually using AXFR to something on pipebackend? If not, why not just
send FAIL when you get one? I can't imagine this being performance issue as
it's clearly identifiable. It's hardly worth the trouble you are going thru
On Fri, Oct 11, 2013 at 09:32:27AM -0700, Brendan Oakley wrote:
> Hi Marcin,
> Depending on your application, the allow-axfr-ips option might be useful to
> fence this off.
> On Fri, Oct 11, 2013 at 7:08 AM, Marcin Deranek
> <marcin.deranek at booking.com>wrote:
> > Hi,
> > So far we've been using PowerDNS solely for dynamic DNS resolution
> > using PipeBackend only, so we had "disable-axfr=yes" in PowerDNS
> > configuration as there was no need to provide zone transfers.
> > Currently I'm trying to add static DNS resolution to the very same
> > instance (using Bind backend) which requires enabling zone transfers,
> > but I struggle to disable them only for PipeBackend while enabling them
> > for Bind backend.
> > So far the "cleanest" approach (or the most compatible with
> > "disable-axfr=yes" setting we had before) I came up with is to return
> > nothing on AXFR or SOA query when remote-ip-address=='0.0.0.0' (this is
> > SOA query which precedes AXFR).
> > Filtering out query type in pipe-regex has the problem with SOA query
> > which precedes AXFR especially when you want to support SOA queries.
> > Does anybody has a better idea ?
> > Thanx in advance.
> > Marcin Deranek
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: Digital signature
More information about the Pdns-users