[Pdns-users] Pdns-users Digest, Vol 204, Issue 10
Thomas Mieslinger
miesi at mail.com
Tue Jan 14 12:57:55 UTC 2020
We've set up pdns "hidden slaves" which get notified by Windows DNS Servers.
Windows DNS admins need configure the equivalent of ALSO-NOTIFY and
allow transfers from "hidden slaves".
pdns hidden slaves write AXFRs in Database.
Database replication transports DNS data to authoritative pdns servers.
pdns_recoursor forward zone points to authoritative pdns Servers instead
of Windows DNS.
Cheers Thomas
P.S.: The term "hidden slaves" does not exist in any RFC to the best of
my knowledge, but I have nothing better. Suggestions welcome.
On 11.01.20 17:51, Satya Sharma wrote:
> Hi,
>
> I want to make interface with Windows DNS and PowerDNS any best practice
> and way to do that.
>
> On Sat, 11 Jan 2020 at 5:30 PM, <pdns-users-request at mailman.powerdns.com
> <mailto:pdns-users-request at mailman.powerdns.com>> wrote:
>
> Send Pdns-users mailing list submissions to
> pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
> pdns-users-request at mailman.powerdns.com
> <mailto:pdns-users-request at mailman.powerdns.com>
>
> You can reach the person managing the list at
> pdns-users-owner at mailman.powerdns.com
> <mailto:pdns-users-owner at mailman.powerdns.com>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
>
>
> Today's Topics:
>
> 1. Re: pdns-recursor Permissions Error (Sharone)
> 2. Re: pdns-recursor Permissions Error (Steve Shipway)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 10 Jan 2020 16:32:43 +0300
> From: Sharone <missakiiki at gmail.com <mailto:missakiiki at gmail.com>>
> To: Brian Candler <b.candler at pobox.com <mailto:b.candler at pobox.com>>
> Cc: Otto Moerbeek <otto.moerbeek at open-xchange.com
> <mailto:otto.moerbeek at open-xchange.com>>,
> pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>
> Subject: Re: [Pdns-users] pdns-recursor Permissions Error
> Message-ID:
>
> <CACMzb4dGtzN=Xo8NxscaJDpKnxpSGmqZ=h9=NxR_BX0JvUU4Tg at mail.gmail.com
> <mailto:NxR_BX0JvUU4Tg at mail.gmail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> Thank you all for the generous and tremendous support.
> I have traffic on Cacti from my recursive servers now.
> Have a lovely weekend.
>
> Regards,
> Sharone
>
>
> On Fri, 10 Jan 2020 at 14:30, Brian Candler <b.candler at pobox.com
> <mailto:b.candler at pobox.com>> wrote:
>
> > On 10/01/2020 11:07, Sharone wrote:
> >
> > I have attempted to comment out the line *extend pdns-rec
> > /usr/local/bin/pdns_stats *in snmpd.conf file and still gotten
> the same
> > error, however changing permissions to the entire directory to
> rwx worked
> > but like you mentioned this indeed brings about a security issue.
> >
> > Oh well, if that works, you just do tighter permissions - e.g.
> changing
> > the directory *group* to "snmp" or "Debian-snmp" as appropriate, and
> > setting mode 775.
> >
> > This is what out-of-box recursor has:
> >
> > root at cache1:~# ls -ld /var/run/pdns-recursor
> > drwxr-xr-x 2 pdns pdns 60 Dec 12 12:49 /var/run/pdns-recursor
> >
> > root at cache1:~# ls -l /var/run/pdns-recursor/
> > total 0
> > srwxr-xr-x 1 pdns pdns 0 Dec 12 12:49 pdns_recursor.controlsocket
> >
> > Using pdns:snmp and mode 775 should be fine.
> >
> > See also the perms for the socket itself:
> >
> https://docs.powerdns.com/recursor/settings.html#socket-owner-socket-group-socket-mode
> >
> > HTH,
> >
> > Brian.
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200110/5c915578/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 11 Jan 2020 20:53:08 +1300 (NZDT)
> From: Steve Shipway <steve.shipway at smxemail.com
> <mailto:steve.shipway at smxemail.com>>
> To: Sharone <missakiiki at gmail.com <mailto:missakiiki at gmail.com>>
> Cc: pdns-users at mailman.powerdns.com
> <mailto:pdns-users at mailman.powerdns.com>
> Subject: Re: [Pdns-users] pdns-recursor Permissions Error
> Message-ID: <352284712.7331.1578729188516 at webmail.nz.smxemail.com
> <mailto:352284712.7331.1578729188516 at webmail.nz.smxemail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> From what I can see, your snmpd system will run
> /usr/local/bin/pdns_stats as the snmpd user. This user does not have
> write permission to the /var/run/pdns-recursor directory and so you
> get the error.
> You could either make the /var/run/pdns-recursor mode 775 and group
> snmpd; or maybe add the snmpd user to the pdns group and make the
> directory mode 775. Note that you also need to have the same mode
> and ownership on the socket.
> Hope this helps, sorry for the slow reply have been very busy
> Steve
>
>
> > On 09 January 2020 at 18:24 Sharone <missakiiki at gmail.com
> <mailto:missakiiki at gmail.com>> wrote:
> >
> > Hello Steve,
> >
> > I appreciate your response. Below is what is inside
> /etc/snmp/snmpd.conf file
> >
> > rocommunity public
> > syslocation "Data Center"
> > syscontact admin at techs.co.ug <mailto:admin at techs.co.ug>
> mailto:admin at techs.co.ug <mailto:admin at techs.co.ug>
> > createUser admin SHA admin123! AES admin123!
> > rouser admin authPriv
> > extend pdns-rec /usr/local/bin/pdns_stats
> > agentAddress udp:161,udp6:[::1]:161
> >
> > /etc/default/snmpd
> >
> > # This file controls the activity of snmpd
> >
> > # Don't load any MIBs by default.
> > # You might comment this lines once you have the MIBs downloaded.
> > export MIBS=
> >
> > # snmpd control (yes means start daemon).
> > SNMPDRUN=yes
> >
> > # snmpd options (use syslog, close stdin/out/err).
> > SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I
> -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
> >
> > snmp service status
> >
> > # systemctl status snmpd.service
> > ? snmpd.service - LSB: SNMP agents
> > Loaded: loaded (/etc/init.d/snmpd; bad; vendor preset:
> enabled)
> > Active: active (running) since Thu 2020-01-09 08:24:04
> EAT; 4s ago
> > Docs: man:systemd-sysv-generator(8)
> > Process: 694 ExecStop=/etc/init.d/snmpd stop (code=exited,
> status=0/SUCCESS)
> > Process: 703 ExecStart=/etc/init.d/snmpd start
> (code=exited, status=0/SUCCESS)
> > Tasks: 1
> > Memory: 4.3M
> > CPU: 66ms
> > CGroup: /system.slice/snmpd.service
> > ??710 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp
> -g snmp -I -smux mteTrigger mteTriggerConf -p /run/snmpd.pid
> >
> > Jan 09 08:24:04 vdns-50 systemd[1]: Starting LSB: SNMP agents...
> > Jan 09 08:24:04 vdns-50 snmpd[703]: * Starting SNMP services:
> > Jan 09 08:24:04 vdns-50 systemd[1]: Started LSB: SNMP agents.
> > Jan 09 08:24:04 vdns-50 snmpd[710]: NET-SNMP version 5.7.3
> >
> > Regards,
> > Sharone
> >
> >
> > On Wed, 8 Jan 2020 at 22:35, Steve Shipway <
> steve.shipway at smxemail.com <mailto:steve.shipway at smxemail.com>
> mailto:steve.shipway at smxemail.com
> <mailto:steve.shipway at smxemail.com> > wrote:
> >
> > > > On Wed, 2020-01-08 at 09:20 +0300, Sharone wrote:
> > >
> > > > > > # snmpwalk -v2c -c public
> localhost .1.3.6.1.4.1.8072.1.3.2.4.1.2
> > > >
> iso.3.6.1.4.1.8072.1.3.2.4.1.2.8.112.100.110.115.45.114.101.99.1 =
> STRING: "Fatal: Unable to generate local temporary file in directory
> '/var/run/pdns-recursor': Permission denied"
> > > >
> > > > > >
> > > A couple of thoughts here . Either
> > > - SElinux is doing its magic and blocking - this should
> be logged in the syslog if so, or
> > > - Your SNMP is running with chroot enabled and
> /var/run/pdns-recursor doesn't exist in the chroot environment
> > > - rec_control is trying to generate a tmp file as the
> snmp user so doesn't have wri
> <https://www.google.com/maps/search/tmp+file+as+the+snmp+user+so+doesn%27t+have+wri?entry=gmail&source=g>te
> permission.
> > > - Your SNMP daemon is using a temporary file for the
> rec_control output which it is trying to put in /var/run/pdns-recursor
> > >
> > > Being able to see your snmp daemon configuration would
> probably help with diagnosing this, so please post it here if possible.
> > >
> > > Steve
> > >
> > >
> > > --
> > > Steve Shipway | Senior Email Systems Administrator
> > > Phone: +64 9 302 0515 Fax: +64 9 302 0518
> > > Freephone: 0800 SMX SMX (769 769)
> > > SMX Limited: Level 10, 19 Victoria Street West,
> Auckland, New Zealand
> > > Web: http://smxemail.com/
> > >
> > >
> > >
> > >
> > >
> > > This email has been filtered by SMX. For more
> information visit http://smxemail.com/
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> <mailto:Pdns-users at mailman.powerdns.com>
> mailto:Pdns-users at mailman.powerdns.com
> <mailto:Pdns-users at mailman.powerdns.com>
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > >
> > > >
>
> _____________________________________________________________________________
>
> This email has been filtered by SMX. For more info visit
> http://smxemail.com
> _____________________________________________________________________________
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200111/5deed278/attachment-0001.htm>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> ------------------------------
>
> End of Pdns-users Digest, Vol 204, Issue 10
> *******************************************
>
> --
> Sent from Gmail Mobile
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
More information about the Pdns-users
mailing list