[Pdns-users] DnsDist and secondary pdns auth

Alessandro Caselli alessandro.caselli at gmail.com
Tue Apr 18 14:46:41 UTC 2023 

Hello,

i'm trying to install an infrastructure with a DNDDist frontend and a 
pdns autoritative backend and i have a problem with the secondary zones. 
Please note that this enviroment could be used as secondary server for 
some zones and as a primary server for other zones.

I've already activated ECS EDNS on both pdns and dnsdist, and i can see 
the source IP on the backend but pdns seems to ignore it. Am I missing 
some settings?

--

Test Enviroment

dnsdist and pdns-auth are on the same server on different port (in a 
real enviroment this should be separated, but i think the problem would 
be the same).

dnsdist: 10.0.0.1 port 53

pdns-auth: 10.0.0.1 port 5301

External primary server: server1 192.168.1.1 (this in a real enviroment 
could be out of my control)

- Relevant config on dnsdist:newServer({address="127.0.0.1:5301", 
useClientSubnet=true, setECSSourcePrefixV4(32), name="be1", 
pool={"primary", "otherpool"}})
addAction(AllRule(), ECSPrefixLengthAction(32))
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), 
SetSkipCacheAction())
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), 
NotRule(makeRule("192.168.1.1"))}), RCodeAction(DNSRCode.REFUSED))
addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR), 
OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.IXFR)}), 
PoolAction("primary"))
addAction(OpcodeRule(DNSOpcode.Notify), SetSkipCacheAction())

- Relevant config on pdns:

allow-axfr-ips=192.168.1.1
allow-dnsupdate-from=192.168.1.1
allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1
edns-subnet-processing=yes
autosecondary=yes
secondary=yes




On the pdns log I can see the source address:

Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for 
testslavezone.com from 127.0.0.1<-192.168.1.1/32

The problem is that the source address seems ignored by pdns.

When the master address of the zone is

+-------------------+--------------+-------+
| name              | master       | type  |
+-------------------+--------------+-------+
| provaslavedns.com | 192.168.1.1  | SLAVE |
+-------------------+--------------+-------+

On the log i can see

Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for 
testslavezone.com from 127.0.0.1<-192.168.1.1/32
Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for 
testslavezone.com from 127.0.0.1<-192.168.1.1/32 which is not a master 
(Refused)


I've altro tried with the CIDR  on the master:

+-------------------+-----------------+-------+
| name              | master          | type  |
+-------------------+-----------------+-------+
| provaslavedns.com | 192.168.1.1/32  | SLAVE |
+-------------------+-----------------+-------+

but doesnt seem supported:

Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Received NOTIFY for 
testslavezone.com  from 127.0.0.1<-192.168.1.1/32
Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Backend reported 
permanent error which prevented lookup (Unable to convert presentation 
address '192.168.1.1/32'), aborting


Whe the zone is configured with both master and localhost as masters 
adresses:

+-------------------+-------------------------+-------+
| name              | master                  | type  |
+-------------------+-------------------------+-------+
| provaslavedns.com | 192.168.1.1, 127.0.0.1  | SLAVE |
+-------------------+-------------------------+-------+

The zone doesen't refresh  after a notification:

Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for 
testslavezone.com  from 127.0.0.1<-192.168.1.1/32
Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for 
testslavezone.com  from 127.0.0.1<-192.168.1.1/32 - queueing check
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Got NOTIFY for 
testslavezone.com, going to check SOA serial
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: 1 slave domain needs 
checking, 0 queued for AXFR
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Received serial 
number updates for 1 zone
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Domain 
'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master 
127.0.0.1)


The updated serial is 15

root at mydnsserver:~# dig testslavezone.com SOA @192.168.1.1 +short
mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200 2592000 86400

More information about the Pdns-users mailing list