On 7/10/2012 1:09 PM, Fred Wittekind wrote: > On 7/8/2012 8:31 PM, Fred Wittekind wrote: >> On 07/05/2012 06:00 PM, bert hubert wrote: >>> On Jul 5, 2012, at 8:18 PM, Fred Wittekind wrote: >>>> Then I got this error when trying to start nproxy (IP address >>>> censored): >>>> nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53': >>>> Address already in use >>>> >>>> Which of course makes sense after seeing it, pdns is already binding >>>> to the same IP/port. >>>> >>>> So, my question is this... Can the functionality of nproxy be >>>> rolled into pdns so that pdns itself can forward the notify to >>>> another instance of pdns (on the master server), or can nproxy and >>>> pdns be made to work on the same IP. I looked into trying to see >>>> if I could get iptables to split out the notify messages to a >>>> different destination IP so I could put nproxy on a different IP >>>> than pdns, but, I didn't figure out a good (reliable) way to do this. >>> Interesting. The original use case was where the outside world would >>> never be talking to that master, or at least not taking the >>> initiative to do so. So the outside world would think the nproxy IP >>> address was the slave, and nproxy would then relay that to the real >>> slave, which would reach out over TCP to make it happen. I think some >>> NAT trick is used to make sure that the outgoing traffic appears as >>> the address that was notified. >>> >>> If you want to have this integrated, what exactly is your use case? >>> Better protection for the hidden master? >>> >>> Please don't get me wrong, I get the impression what you want is >>> reasonable, but I can't quite wrap my head around your exact >>> requirements. >>> >>> Please let us know! >>> >>> Bert >>> PowerDNS >>> >>> >> What we are trying to do is have what we call NSMS, which is a server >> that sits behind our firewall, and is the MySQL master db server. >> Then we are going to have 3 name servers on public IPs that will be >> MySQL slaves of NSMS (what PDNS calls native replication I think). We >> would then have some type of web interface managing the DNS records on >> NSMS. This setup covers the need of 90+% of the domains we host. >> >> We have a small handful of domains that we slave from one of our >> client's servers. The 3 name servers we would have on public IPs >> would be unable to write to there local MySQL instance, because they >> are MySQL slaves, so we would need that notify to be passed on to >> NSMS, which our 3 public name servers can talk to, but our client >> server's can't. >> >> Right now, the client's are configured to send the notify to one of >> our existing 3 public name servers, and it has a script on it that >> intercepts that notify and passes it on to the existing NSMS. I would >> prefer to avoid solutions that require the clients to change there >> configuration. Our new PDNS based servers are intended to take over >> the IP addresses of our old name servers. >> >> Looks like it would be pretty easy to re-write one of the SQL queries >> so that the 3 public name servers get back "native" as the replication >> mode for all domains including the ones that NSMS actually slaves off >> a client server. The trick I think is just going to be getting the >> notify forwarded to NSMS (since it's the only server with MySQL write >> access). >> >> Fred Wittekind >> > I've been looking at the code in nproxy, and the code in pdns that tests > against the trusted-notification-proxy setting, and I see that it tests > that the notify came from the trusted-notification-proxy, and that it > tests that the domain the notify is for has a master, but, I do not see > that it checks that the original notify came from the master, or that > nproxy even passes along that information to pdns. > > Am I missing something or am I reading the code correctly? If I am > reading the code correctly, would it be possible or a good idea for > nproxy to forward along the IP address it received the notify from, and > for pdns to check that IP against the master for the zone? > > Fred Wittekind >
Using PDNS 3.1 Need patches from: http://wiki.powerdns.com/trac/ticket/532 http://wiki.powerdns.com/trac/ticket/534 IP Address place holders: MySQL Master Server / Hidden PDNS Master: a.a.a.a Public Facing name server IP: b.b.b.b This config is for public facing name server: iptables -A INPUT -d b.b.b.b -p udp --dport 5353 -j ACCEPT iptables -A INPUT -d b.b.b.b -p udp --dport 53 -j ACCEPT iptables -t nat -A PREROUTING ! --fragment -m u32 --u32 "0>>22&0x3C@8>>11&0xF=4" -d b.b.b.b -p udp --dport 53 -j DNAT --to-destination :5353 iptables -t nat -A PREROUTING -s a.a.a.a -d b.b.b.b -p udp --dport 53 -j DNAT --to-destination :5353 nproxy --powerdns-address a.a.a.a --listen-address b.b.b.b --listen-port 5353 I'm going to refine the rules a little more so that it includes NOTRACK rules, but, as it sits, it does work with connection tracking turned on. Fred Wittekind _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
