[Pdns-users] VPN - Overriding master/slave ip
Gert van Dijk
gertvdijk+pdns-users at gmail.com
Wed Apr 17 10:21:49 UTC 2019
On Wed, Apr 17, 2019 at 11:54 AM Mike <mike+lists at yourtownonline.com> wrote:
> I have a working hidden (super)master / slave arrangement where the
> slaves learn about their zones from the supermaster and axfr. This works
> as expected. I was thinking however that it might be an extra bit of
> hardening if I could protect certain things, such as zone transfers and
> slave SOA checks, with a vpn. I know that tsig will protect zone
> transfers, but for confidentiallity across untrusted networks the vpn
> would be perfect. Also, SOA checks themselves have no confidentiallity
> or integrity, so spoofed UDP can be injected here too. Maybe not the
> biggest fire, but just thinking what can be done here....
> Ideally, what I'd want is for the hidden master and the slaves all
> to have a vpn between them, with the master and slaves having a shared
> private internal ip address range between them. This is easy to do with
> OpenVPN. The missing part seems to be the ability to explicitly state
> which source ip the master will use to notify the slaves. May it's a
> different source IP per slave, in some setups. It would further be nice
> to tell the server to not even bother sending notifies to the NS records
> of the zone and instead using only an explicit notify list, also
> possibly per zone.
My setup is similar. I've configured the slaves with the setting
allow-notify-from=<master IP(s) (subnet)>
And the master with
only-notify=<private IP subnet>
also-notify=<slave IPs on private IP subnet>
Sending packets to an IP that is local to the host (e.g. OpenVPN tunnel
device) should happen with the source address on that interface by default
and you should not need any routing fu.
This won't really allow you to set it per zone, though.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users