[Pdns-users] DnsDist and secondary pdns auth

Wed Apr 19 10:17:42 UTC 2023

In this specific test enviroment the pdns and the dnsdist are in the 
same vm and are running a slave zone.

The problem is not the AXFR request whic works regularry.

The problem arise when the master (192.168.1.1) send a notify which is 
recieved by dnsdist (10.0.0.1:53) and forwarded to pdns on the same 
machine (127.0.0.1:5301 but the behavior is the same if I use the real 
IP instead of localhost), pdns doesnt request AXFR to the source 
(192.168.1.1) but to the dnsdist address (127.0.0.1:53 or 10.0.0.1:53 
depends on the dnsdist's configurations)

On the log of the slave pdns you can see is checking the dnsdist 
address, not the master address:

Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Received NOTIFY for 
testslavezone.com from 10.0.0.1<-192.168.1.1/32
Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Received NOTIFY for 
testslavezone.com from 10.0.0.1<-192.168.1.1/32 - queueing check
Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Got NOTIFY for 
provaslavedns.com, going to check SOA serial
Apr 19 10:07:09 mydnsserver pdns_server[2531686]: 1 slave domain needs 
checking, 0 queued for AXFR
Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Received serial number 
updates for 1 zone
Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Domain 
'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master 
10.0.0.1)

If i remove the ip 10.0.0.1 from the IP which are masters for the domain 
the notify is refused

Apr 19 10:15:00 mydnsserver pdns_server[2531686]: Received NOTIFY for 
provaslavedns.com from 10.0.0.1<-192.168.1.1/32
Apr 19 10:15:00 mydnsserver pdns_server[2531686]: Received NOTIFY for 
provaslavedns.com from 10.0.0.1<-192.168.1.1/32 which is not a master 
(Refused)

So it seems that pdns ignore the edns source IP recieved from dnsdist

Il 19/04/2023 07:24, Andrey Vishnyakov ha scritto:
> Hi Badli,
>
> Dnsdist makes NAT on passing through traffic, so Source IP is changed. 
> You should use allow-axfr-ips=10.0.0.1 on PDNS
>
> Best regards,
> Andrey
>
> On 19 Apr 2023, at 02:15, Badli Al Rashid via Pdns-users 
> <pdns-users at mailman.powerdns.com> wrote:
>
> 
> Hi All,
>
> For the bind9 as primary solve it by entering option allow-axfr-ips. 
> When I check the primary replicated to secondary powerdns running with 
> bind backend.
>
> Now left with primary powerdns to secondary bind9 with the "NO AUTH" 
> in logs.
>
> Regards,
> -badli
>
> ------------------------------------------------------------------------
> *From:* Pdns-users <pdns-users-bounces at mailman.powerdns.com> on behalf 
> of Alessandro Caselli via Pdns-users <pdns-users at mailman.powerdns.com>
> *Sent:* Tuesday, April 18, 2023, 22:46
> *To:* pdns-users at mailman.powerdns.com <pdns-users at mailman.powerdns.com>
> *Subject:* [Pdns-users] DnsDist and secondary pdns auth
>
> Hello,
>
> i'm trying to install an infrastructure with a DNDDist frontend and a
> pdns autoritative backend and i have a problem with the secondary zones.
> Please note that this enviroment could be used as secondary server for
> some zones and as a primary server for other zones.
>
> I've already activated ECS EDNS on both pdns and dnsdist, and i can see
> the source IP on the backend but pdns seems to ignore it. Am I missing
> some settings?
>
> --
>
> Test Enviroment
>
> dnsdist and pdns-auth are on the same server on different port (in a
> real enviroment this should be separated, but i think the problem would
> be the same).
>
> dnsdist: 10.0.0.1 port 53
>
> pdns-auth: 10.0.0.1 port 5301
>
> External primary server: server1 192.168.1.1 (this in a real enviroment
> could be out of my control)
>
> - Relevant config on dnsdist:newServer({address="127.0.0.1:5301",
> useClientSubnet=true, setECSSourcePrefixV4(32), name="be1",
> pool={"primary", "otherpool"}})
> addAction(AllRule(), ECSPrefixLengthAction(32))
> addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
> SetSkipCacheAction())
> addAction(AndRule({OpcodeRule(DNSOpcode.Notify),
> NotRule(makeRule("192.168.1.1"))}), RCodeAction(DNSRCode.REFUSED))
> addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR),
> OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.IXFR)}),
> PoolAction("primary"))
> addAction(OpcodeRule(DNSOpcode.Notify), SetSkipCacheAction())
>
> - Relevant config on pdns:
>
> allow-axfr-ips=192.168.1.1
> allow-dnsupdate-from=192.168.1.1
> allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1
> edns-subnet-processing=yes
> autosecondary=yes
> secondary=yes
>
>
>
>
> On the pdns log I can see the source address:
>
> Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for
> testslavezone.com from 127.0.0.1<-192.168.1.1/32
>
> The problem is that the source address seems ignored by pdns.
>
> When the master address of the zone is
>
> +-------------------+--------------+-------+
> | name              | master       | type  |
> +-------------------+--------------+-------+
> | provaslavedns.com | 192.168.1.1  | SLAVE |
> +-------------------+--------------+-------+
>
> On the log i can see
>
> Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for
> testslavezone.com from 127.0.0.1<-192.168.1.1/32
> Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for
> testslavezone.com from 127.0.0.1<-192.168.1.1/32 which is not a master
> (Refused)
>
>
> I've altro tried with the CIDR  on the master:
>
> +-------------------+-----------------+-------+
> | name              | master          | type  |
> +-------------------+-----------------+-------+
> | provaslavedns.com | 192.168.1.1/32  | SLAVE |
> +-------------------+-----------------+-------+
>
> but doesnt seem supported:
>
> Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Received NOTIFY for
> testslavezone.com  from 127.0.0.1<-192.168.1.1/32
> Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Backend reported
> permanent error which prevented lookup (Unable to convert presentation
> address '192.168.1.1/32'), aborting
>
>
> Whe the zone is configured with both master and localhost as masters
> adresses:
>
> +-------------------+-------------------------+-------+
> | name              | master                  | type  |
> +-------------------+-------------------------+-------+
> | provaslavedns.com | 192.168.1.1, 127.0.0.1  | SLAVE |
> +-------------------+-------------------------+-------+
>
> The zone doesen't refresh  after a notification:
>
> Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for
> testslavezone.com  from 127.0.0.1<-192.168.1.1/32
> Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for
> testslavezone.com  from 127.0.0.1<-192.168.1.1/32 - queueing check
> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Got NOTIFY for
> testslavezone.com, going to check SOA serial
> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: 1 slave domain needs
> checking, 0 queued for AXFR
> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Received serial
> number updates for 1 zone
> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Domain
> 'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master
> 127.0.0.1)
>
>
> The updated serial is 15
>
> root at mydnsserver:~# dig testslavezone.com SOA @192.168.1.1 +short
> mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200 2592000 86400
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230419/12464669/attachment-0001.htm>