[Pdns-users] VPN - Overriding master/slave ip

Mike mike+lists at yourtownonline.com
Wed Apr 17 09:54:00 UTC 2019


    I have a working hidden (super)master / slave arrangement where the
slaves learn about their zones from the supermaster and axfr. This works
as expected. I was thinking however that it might be an extra bit of
hardening if I could protect certain things, such as zone transfers and
slave SOA checks, with a vpn. I know that tsig will protect zone
transfers, but for confidentiallity across untrusted networks the vpn
would be perfect. Also, SOA checks themselves have no confidentiallity
or integrity, so spoofed UDP can be injected here too. Maybe not the
biggest fire, but just thinking what can be done here....

    Ideally, what I'd want is for the hidden master and the slaves all
to have a vpn between them, with the master and slaves having a shared
private internal ip address range between them. This is easy to do with
OpenVPN. The missing part seems to be the ability to explicitly state
which source ip the master will use to notify the slaves. May it's a
different source IP per slave, in some setups. It would further be nice
to tell the server to not even bother sending notifies to the NS records
of the zone and instead using only an explicit notify list, also
possibly per zone.

    I have tried various games with with routing, nat, fwmarks, and so
forth, and I can bludgeon things into mostly - but not entirely -
working. Lot of work for something that could more or less be automatic
and with a lot less configuration if we just had additional config
controls to set the above properties. 

    Just my random thoughts. Powerdns is awesome..


More information about the Pdns-users mailing list