[Pdns-users] Pdns-users Digest, Vol 204, Issue 10

Thomas Mieslinger miesi at mail.com
Tue Jan 14 12:57:55 UTC 2020


We've set up pdns "hidden slaves" which get notified by Windows DNS Servers.

Windows DNS admins need configure the equivalent of ALSO-NOTIFY and
allow transfers from "hidden slaves".

pdns hidden slaves write AXFRs in Database.

Database replication transports DNS data to authoritative pdns servers.

pdns_recoursor forward zone points to authoritative pdns Servers instead
of Windows DNS.

Cheers Thomas

P.S.: The term "hidden slaves" does not exist in any RFC to the best of
my knowledge, but I have nothing better. Suggestions welcome.

On 11.01.20 17:51, Satya Sharma wrote:
> Hi,
>
> I want to make interface with Windows DNS and PowerDNS any best practice
> and way to do that.
>
> On Sat, 11 Jan 2020 at 5:30 PM, <pdns-users-request at mailman.powerdns.com
> <mailto:pdns-users-request at mailman.powerdns.com>> wrote:
>
>     Send Pdns-users mailing list submissions to
>     pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>     https://mailman.powerdns.com/mailman/listinfo/pdns-users
>     or, via email, send a message with subject or body 'help' to
>     pdns-users-request at mailman.powerdns.com
>     <mailto:pdns-users-request at mailman.powerdns.com>
>
>     You can reach the person managing the list at
>     pdns-users-owner at mailman.powerdns.com
>     <mailto:pdns-users-owner at mailman.powerdns.com>
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of Pdns-users digest..."
>
>
>     Today's Topics:
>
>         1. Re: pdns-recursor Permissions Error (Sharone)
>         2. Re: pdns-recursor Permissions Error (Steve Shipway)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Fri, 10 Jan 2020 16:32:43 +0300
>     From: Sharone <missakiiki at gmail.com <mailto:missakiiki at gmail.com>>
>     To: Brian Candler <b.candler at pobox.com <mailto:b.candler at pobox.com>>
>     Cc: Otto Moerbeek <otto.moerbeek at open-xchange.com
>     <mailto:otto.moerbeek at open-xchange.com>>,
>     pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>
>     Subject: Re: [Pdns-users] pdns-recursor Permissions Error
>     Message-ID:
>
>     <CACMzb4dGtzN=Xo8NxscaJDpKnxpSGmqZ=h9=NxR_BX0JvUU4Tg at mail.gmail.com
>     <mailto:NxR_BX0JvUU4Tg at mail.gmail.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     Thank you all for the generous and tremendous support.
>     I have traffic on Cacti from my recursive servers now.
>     Have a lovely weekend.
>
>     Regards,
>     Sharone
>
>
>     On Fri, 10 Jan 2020 at 14:30, Brian Candler <b.candler at pobox.com
>     <mailto:b.candler at pobox.com>> wrote:
>
>      > On 10/01/2020 11:07, Sharone wrote:
>      >
>      > I have attempted to comment out the line  *extend pdns-rec
>      > /usr/local/bin/pdns_stats *in snmpd.conf file and still gotten
>     the same
>      > error, however changing permissions to the entire directory to
>     rwx worked
>      > but like you mentioned this indeed brings about a security issue.
>      >
>      > Oh well, if that works, you just do tighter permissions - e.g.
>     changing
>      > the directory *group* to "snmp" or "Debian-snmp" as appropriate, and
>      > setting mode 775.
>      >
>      > This is what out-of-box recursor has:
>      >
>      > root at cache1:~# ls -ld /var/run/pdns-recursor
>      > drwxr-xr-x 2 pdns pdns 60 Dec 12 12:49 /var/run/pdns-recursor
>      >
>      > root at cache1:~# ls -l /var/run/pdns-recursor/
>      > total 0
>      > srwxr-xr-x 1 pdns pdns 0 Dec 12 12:49 pdns_recursor.controlsocket
>      >
>      > Using pdns:snmp and mode 775 should be fine.
>      >
>      > See also the perms for the socket itself:
>      >
>     https://docs.powerdns.com/recursor/settings.html#socket-owner-socket-group-socket-mode
>      >
>      > HTH,
>      >
>      > Brian.
>      >
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200110/5c915578/attachment-0001.htm>
>
>     ------------------------------
>
>     Message: 2
>     Date: Sat, 11 Jan 2020 20:53:08 +1300 (NZDT)
>     From: Steve Shipway <steve.shipway at smxemail.com
>     <mailto:steve.shipway at smxemail.com>>
>     To: Sharone <missakiiki at gmail.com <mailto:missakiiki at gmail.com>>
>     Cc: pdns-users at mailman.powerdns.com
>     <mailto:pdns-users at mailman.powerdns.com>
>     Subject: Re: [Pdns-users] pdns-recursor Permissions Error
>     Message-ID: <352284712.7331.1578729188516 at webmail.nz.smxemail.com
>     <mailto:352284712.7331.1578729188516 at webmail.nz.smxemail.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>      From what I can see, your snmpd system will run
>     /usr/local/bin/pdns_stats as the snmpd user. This user does not have
>     write permission to the /var/run/pdns-recursor directory and so you
>     get the error.
>     You could either make the /var/run/pdns-recursor mode 775 and group
>     snmpd; or maybe add the snmpd user to the pdns group and make the
>     directory mode 775. Note that you also need to have the same mode
>     and ownership on the socket.
>     Hope this helps, sorry for the slow reply have been very busy
>     Steve
>
>
>      > On 09 January 2020 at 18:24 Sharone <missakiiki at gmail.com
>     <mailto:missakiiki at gmail.com>> wrote:
>      >
>      >     Hello Steve,
>      >
>      >     I appreciate your response. Below is what is inside
>     /etc/snmp/snmpd.conf file
>      >
>      >     rocommunity public
>      >     syslocation "Data Center"
>      >     syscontact admin at techs.co.ug <mailto:admin at techs.co.ug>
>     mailto:admin at techs.co.ug <mailto:admin at techs.co.ug>
>      >     createUser admin SHA admin123! AES admin123!
>      >     rouser admin authPriv
>      >     extend pdns-rec /usr/local/bin/pdns_stats
>      >     agentAddress udp:161,udp6:[::1]:161
>      >
>      >     /etc/default/snmpd
>      >
>      >     # This file controls the activity of snmpd
>      >
>      >     # Don't load any MIBs by default.
>      >     # You might comment this lines once you have the MIBs downloaded.
>      >     export MIBS=
>      >
>      >     # snmpd control (yes means start daemon).
>      >     SNMPDRUN=yes
>      >
>      >     # snmpd options (use syslog, close stdin/out/err).
>      >     SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I
>     -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
>      >
>      >     snmp service status
>      >
>      >     # systemctl status snmpd.service
>      >     ? snmpd.service - LSB: SNMP agents
>      >        Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset:
>     enabled)
>      >        Active: active (running) since Thu 2020-01-09 08:24:04
>     EAT; 4s ago
>      >          Docs: man:systemd-sysv-generator(8)
>      >       Process: 694 ExecStop=/etc/init.d/snmpd stop (code=exited,
>     status=0/SUCCESS)
>      >       Process: 703 ExecStart=/etc/init.d/snmpd start
>     (code=exited, status=0/SUCCESS)
>      >         Tasks: 1
>      >        Memory: 4.3M
>      >           CPU: 66ms
>      >        CGroup: /system.slice/snmpd.service
>      >                ??710 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp
>     -g snmp -I -smux mteTrigger mteTriggerConf -p /run/snmpd.pid
>      >
>      >     Jan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP agents...
>      >     Jan 09 08:24:04 vdns-50 snmpd[703]:  * Starting SNMP services:
>      >     Jan 09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.
>      >     Jan 09 08:24:04 vdns-50 snmpd[710]: NET-SNMP version 5.7.3
>      >
>      >     Regards,
>      >     Sharone
>      >
>      >
>      >     On Wed, 8 Jan 2020 at 22:35, Steve Shipway <
>     steve.shipway at smxemail.com <mailto:steve.shipway at smxemail.com>
>     mailto:steve.shipway at smxemail.com
>     <mailto:steve.shipway at smxemail.com> > wrote:
>      >
>      >         > >         On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
>      > >
>      > >             > > >             # snmpwalk -v2c -c public
>     localhost .1.3.6.1.4.1.8072.1.3.2.4.1.2
>      > > >
>       iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 =
>     STRING: "Fatal: Unable to generate local temporary file in directory
>     '/var/run/pdns-recursor': Permission denied"
>      > > >
>      > > >         > >
>      > >         A couple of thoughts here .  Either
>      > >         - SElinux is doing its magic and blocking - this should
>     be logged in the syslog if so, or
>      > >         - Your SNMP is running with chroot enabled and
>     /var/run/pdns-recursor doesn't exist in the chroot environment
>      > >         -  rec_control is trying to generate a tmp file as the
>     snmp user so doesn't have wri
>     <https://www.google.com/maps/search/tmp+file+as+the+snmp+user+so+doesn%27t+have+wri?entry=gmail&source=g>te
>     permission.
>      > >         - Your SNMP daemon is using a temporary file for the
>     rec_control output which it is trying to put in /var/run/pdns-recursor
>      > >
>      > >         Being able to see your snmp daemon configuration would
>     probably help with diagnosing this, so please post it here if possible.
>      > >
>      > >         Steve
>      > >
>      > >
>      > >         --
>      > >         Steve Shipway | Senior Email Systems Administrator
>      > >         Phone: +64 9 302 0515 Fax: +64 9 302 0518
>      > >         Freephone: 0800 SMX SMX (769 769)
>      > >         SMX Limited: Level 10, 19 Victoria Street West,
>     Auckland, New Zealand
>      > >         Web: http://smxemail.com/
>      > >
>      > >
>      > >
>      > >
>      > >
>      > >         This email has been  filtered by SMX. For more
>     information visit http://smxemail.com/
>      > >
>      > >
>      > >
>      > >
>      > >         _______________________________________________
>      > >         Pdns-users mailing list
>      > > Pdns-users at mailman.powerdns.com
>     <mailto:Pdns-users at mailman.powerdns.com>
>     mailto:Pdns-users at mailman.powerdns.com
>     <mailto:Pdns-users at mailman.powerdns.com>
>      > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
>      > >
>      > >     >
>
>     _____________________________________________________________________________
>
>     This email has been filtered by SMX. For more info visit
>     http://smxemail.com
>     _____________________________________________________________________________
>
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200111/5deed278/attachment-0001.htm>
>
>     ------------------------------
>
>     Subject: Digest Footer
>
>     _______________________________________________
>     Pdns-users mailing list
>     Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>     https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
>     ------------------------------
>
>     End of Pdns-users Digest, Vol 204, Issue 10
>     *******************************************
>
> --
> Sent from Gmail Mobile
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>


More information about the Pdns-users mailing list