[Pdns-users] DnsDist and secondary pdns auth

Alessandro Caselli alessandro.caselli at gmail.com
Thu Apr 27 07:26:33 UTC 2023 

I've not been able to resolve this issue, however i've resolved 
switching to proxy protocol instead of EDNS:

https://dnsdist.org/advanced/passing-source-address.html


Il 19/04/2023 12:17, Alessandro Caselli ha scritto:
>
> In this specific test enviroment the pdns and the dnsdist are in the 
> same vm and are running a slave zone.
>
> The problem is not the AXFR request whic works regularry.
>
> The problem arise when the master (192.168.1.1) send a notify which is 
> recieved by dnsdist (10.0.0.1:53) and forwarded to pdns on the same 
> machine (127.0.0.1:5301 but the behavior is the same if I use the real 
> IP instead of localhost), pdns doesnt request AXFR to the source 
> (192.168.1.1) but to the dnsdist address (127.0.0.1:53 or 10.0.0.1:53 
> depends on the dnsdist's configurations)
>
> On the log of the slave pdns you can see is checking the dnsdist 
> address, not the master address:
>
> Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Received NOTIFY for 
> testslavezone.com from 10.0.0.1<-192.168.1.1/32
> Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Received NOTIFY for 
> testslavezone.com from 10.0.0.1<-192.168.1.1/32 - queueing check
> Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Got NOTIFY for 
> provaslavedns.com, going to check SOA serial
> Apr 19 10:07:09 mydnsserver pdns_server[2531686]: 1 slave domain needs 
> checking, 0 queued for AXFR
> Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Received serial 
> number updates for 1 zone
> Apr 19 10:07:09 mydnsserver pdns_server[2531686]: Domain 
> 'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master 
> 10.0.0.1)
>
>
> If i remove the ip 10.0.0.1 from the IP which are masters for the 
> domain the notify is refused
>
> Apr 19 10:15:00 mydnsserver pdns_server[2531686]: Received NOTIFY for 
> provaslavedns.com from 10.0.0.1<-192.168.1.1/32
> Apr 19 10:15:00 mydnsserver pdns_server[2531686]: Received NOTIFY for 
> provaslavedns.com from 10.0.0.1<-192.168.1.1/32 which is not a master 
> (Refused)
>
>
> So it seems that pdns ignore the edns source IP recieved from dnsdist
>
>
>
>
> Il 19/04/2023 07:24, Andrey Vishnyakov ha scritto:
>> Hi Badli,
>>
>> Dnsdist makes NAT on passing through traffic, so Source IP is 
>> changed. You should use allow-axfr-ips=10.0.0.1 on PDNS
>>
>> Best regards,
>> Andrey
>>
>> On 19 Apr 2023, at 02:15, Badli Al Rashid via Pdns-users 
>> <pdns-users at mailman.powerdns.com> wrote:
>>
>> 
>> Hi All,
>>
>> For the bind9 as primary solve it by entering option allow-axfr-ips. 
>> When I check the primary replicated to secondary powerdns running 
>> with bind backend.
>>
>> Now left with primary powerdns to secondary bind9 with the "NO AUTH" 
>> in logs.
>>
>> Regards,
>> -badli
>>
>> ------------------------------------------------------------------------
>> *From:* Pdns-users <pdns-users-bounces at mailman.powerdns.com> on 
>> behalf of Alessandro Caselli via Pdns-users 
>> <pdns-users at mailman.powerdns.com>
>> *Sent:* Tuesday, April 18, 2023, 22:46
>> *To:* pdns-users at mailman.powerdns.com <pdns-users at mailman.powerdns.com>
>> *Subject:* [Pdns-users] DnsDist and secondary pdns auth
>>
>> Hello,
>>
>> i'm trying to install an infrastructure with a DNDDist frontend and a
>> pdns autoritative backend and i have a problem with the secondary zones.
>> Please note that this enviroment could be used as secondary server for
>> some zones and as a primary server for other zones.
>>
>> I've already activated ECS EDNS on both pdns and dnsdist, and i can see
>> the source IP on the backend but pdns seems to ignore it. Am I missing
>> some settings?
>>
>> --
>>
>> Test Enviroment
>>
>> dnsdist and pdns-auth are on the same server on different port (in a
>> real enviroment this should be separated, but i think the problem would
>> be the same).
>>
>> dnsdist: 10.0.0.1 port 53
>>
>> pdns-auth: 10.0.0.1 port 5301
>>
>> External primary server: server1 192.168.1.1 (this in a real enviroment
>> could be out of my control)
>>
>> - Relevant config on dnsdist:newServer({address="127.0.0.1:5301",
>> useClientSubnet=true, setECSSourcePrefixV4(32), name="be1",
>> pool={"primary", "otherpool"}})
>> addAction(AllRule(), ECSPrefixLengthAction(32))
>> addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
>> SetSkipCacheAction())
>> addAction(AndRule({OpcodeRule(DNSOpcode.Notify),
>> NotRule(makeRule("192.168.1.1"))}), RCodeAction(DNSRCode.REFUSED))
>> addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR),
>> OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.IXFR)}),
>> PoolAction("primary"))
>> addAction(OpcodeRule(DNSOpcode.Notify), SetSkipCacheAction())
>>
>> - Relevant config on pdns:
>>
>> allow-axfr-ips=192.168.1.1
>> allow-dnsupdate-from=192.168.1.1
>> allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1
>> edns-subnet-processing=yes
>> autosecondary=yes
>> secondary=yes
>>
>>
>>
>>
>> On the pdns log I can see the source address:
>>
>> Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for
>> testslavezone.com from 127.0.0.1<-192.168.1.1/32
>>
>> The problem is that the source address seems ignored by pdns.
>>
>> When the master address of the zone is
>>
>> +-------------------+--------------+-------+
>> | name              | master       | type  |
>> +-------------------+--------------+-------+
>> | provaslavedns.com | 192.168.1.1  | SLAVE |
>> +-------------------+--------------+-------+
>>
>> On the log i can see
>>
>> Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for
>> testslavezone.com from 127.0.0.1<-192.168.1.1/32
>> Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for
>> testslavezone.com from 127.0.0.1<-192.168.1.1/32 which is not a master
>> (Refused)
>>
>>
>> I've altro tried with the CIDR  on the master:
>>
>> +-------------------+-----------------+-------+
>> | name              | master          | type  |
>> +-------------------+-----------------+-------+
>> | provaslavedns.com | 192.168.1.1/32  | SLAVE |
>> +-------------------+-----------------+-------+
>>
>> but doesnt seem supported:
>>
>> Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Received NOTIFY for
>> testslavezone.com  from 127.0.0.1<-192.168.1.1/32
>> Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Backend reported
>> permanent error which prevented lookup (Unable to convert presentation
>> address '192.168.1.1/32'), aborting
>>
>>
>> Whe the zone is configured with both master and localhost as masters
>> adresses:
>>
>> +-------------------+-------------------------+-------+
>> | name              | master                  | type |
>> +-------------------+-------------------------+-------+
>> | provaslavedns.com | 192.168.1.1, 127.0.0.1  | SLAVE |
>> +-------------------+-------------------------+-------+
>>
>> The zone doesen't refresh  after a notification:
>>
>> Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for
>> testslavezone.com  from 127.0.0.1<-192.168.1.1/32
>> Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for
>> testslavezone.com  from 127.0.0.1<-192.168.1.1/32 - queueing check
>> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Got NOTIFY for
>> testslavezone.com, going to check SOA serial
>> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: 1 slave domain needs
>> checking, 0 queued for AXFR
>> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Received serial
>> number updates for 1 zone
>> Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Domain
>> 'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master
>> 127.0.0.1)
>>
>>
>> The updated serial is 15
>>
>> root at mydnsserver:~# dig testslavezone.com SOA @192.168.1.1 +short
>> mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200 2592000 86400
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230427/166fe50e/attachment-0001.htm>

More information about the Pdns-users mailing list