Re: [dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR
angelika rossos writes: > I use CentOS latest version. I have two servers (below are not real > used public IP, I don't want to share real ones): First of all, if you seek guidance here, you'd really do a lot better to share the actual details of your environment. It makes it so much easier for us if we a) can be sure that you haven't made mistakes while hiding information, and b) can simply look up the externally visible parts of the environment you're describing. So. Rémi pointed you towards documentation. Allow me to show you what I did to implement what I believe is pretty much what you're attempting. https://www.hamartun.priv.no/tih/pdns.txt This is just the primary name server, of course - the secondaries are outside my control. They just assume my primary is behaving correctly. -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR
Hello Remi :)
Thank you for your fast reply and time. So I checked your site with:
---
newServer({address="192.168.1.2", name="master", pool={"master",
"otherpool"}})
addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), PoolAction("master"))
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("192.168.1.0/24"))}),
RCodeAction(dnsdist.REFUSED))
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("
192.168.1.0/24"))}), RCodeAction(dnsdist.REFUSED))
---
So in my case, which of above should go to Server 1 (Master) and which to
Server 2 (Slave)?
If my Server 1 (Master) is 193.91.200.10, should I add to Server 1
dnsdist.conf:
---
newServer({address="193.91.200.10", name="master", pool={"master",
"otherpool"}})
addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), PoolAction("master"))
--
Should I add below to my Server 2 (Slave) with 193.91.200.20:
---
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR),
QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("193.91.200.20/32"))}),
RCodeAction(dnsdist.REFUSED))
---
May you be so kind and look in to my case and help me to figure it out? I
am smiling to you with very wide open eyes :)
Best regards.
AR
czw., 4 kwi 2019 o 12:11 Remi Gacogne
napisał(a):
> Hi Angelika,
>
> I would suggest you read [1] first, it explains the issue you are having
> and some of the options to fix it.
>
> [1]: https://dnsdist.org/advanced/axfr.html
>
> Best regards,
>
> Remi
>
> On 4/3/19 11:40 PM, angelika rossos wrote:
> > Hello!
> >
> > I use CentOS latest version. I have two servers (below are not real used
> > public IP, I don't want to share real ones):
> >
> > Server 1 - public IP for example 193.91.200.10 - master
> > Server 2 - public IP for example 193.91.200.20 - slave
> >
> > I have installed dnsdist, pdns and pdns-recursor latest versions. Below
> > are my configs for dnsdist, pdns and pdns-recursor for both servers.
> >
> > Server 1: dnsdist.conf
> > ---
> > setLocal('193.91.200.10:53 ')
> > setACL({'0.0.0.0/0 ', '::/0'})
> >
> > newServer({address='127.0.0.1:5300 ',
> pool='auth'})
> > newServer({address='127.0.0.1:5301 ',
> > pool='recursor'})
> >
> > recursive_ips = newNMG()
> > recursive_ips:addMask('193.91.200.20/32 ')
> >
> > addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
> > QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))
> >
> > addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> > addAction(AllRule(), PoolAction('auth'))
> > ---
> >
> > Server 1: pdns.conf
> > ---
> > allow-axfr-ips=193.91.200.10/32
> > ,193.91.200.20/32
> > daemon=no
> > disable-axfr=no
> > disable-tcp=no
> > guardian=no
> > launch=bind
> > bind-config=/etc/pdns/named.conf
> > bind-check-interval=300
> > local-address=127.0.0.1
> > local-port=5300
> > master=yes
> > setgid=pdns
> > setuid=pdns
> > ---
> >
> > Server 1: recursor.conf
> > ---
> > allow-from=127.0.0.0/8 , 10.0.0.0/8
> > , 193.91.200.10/32 ,
> > 193.91.200.20/32
> > dont-query=127.0.0.0/8 , 10.0.0.0/8 <
> http://10.0.0.0/8>
> > forward-zones=angelikarossos.com
> > =127.0.0.1:5300
> > local-address=127.0.0.1
> > local-port=5301
> > setgid=pdns-recursor
> > setuid=pdns-recursor
> > ---
> >
> > Server 1: named.conf
> > ---
> > options {
> > directory "/var/named";
> > listen-on { 127.0.0.1:5300 ; };
> > allow-transfer { 193.91.200.10/32 ;
> > 193.91.200.20/32 ; };
> > };
> >
> > zone "angelikarossos.com " {
> > type master;
> > file "angelikarossos.com ";
> > };
> > ---
> >
> > Server 2: dnsdist.conf
> > ---
> > setLocal('193.91.200.20:53 ')
> > setACL({'0.0.0.0/0 ', '::/0'})
> >
> > newServer({address='127.0.0.1:5300 ',
> pool='auth'})
> > newServer({address='127.0.0.1:5301 ',
> > pool='recursor'})
> >
> > recursive_ips = newNMG()
> > recursive_ips:addMask('193.91.200.10/32 ')
> >
> > addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> > addAction(AllRule(), PoolAction('auth'))
> > ---
> >
> > Server 2: pdns.conf
> > ---
> > allow-axfr-ips=193.91.200.10/32
> > ,193.91.200.20/32
> > daemon=no
> > disable-axfr=no
> > disable-tcp=no
> > guardian=no
> > launch=bind
> > bind-config=/etc/pdns/named.conf
> > bind-check-interval=300
> > local-add
Re: [dnsdist] Question about dnsdist, pdns, pdns-recursor problem with AXFR
Hi Angelika,
I would suggest you read [1] first, it explains the issue you are having
and some of the options to fix it.
[1]: https://dnsdist.org/advanced/axfr.html
Best regards,
Remi
On 4/3/19 11:40 PM, angelika rossos wrote:
> Hello!
>
> I use CentOS latest version. I have two servers (below are not real used
> public IP, I don't want to share real ones):
>
> Server 1 - public IP for example 193.91.200.10 - master
> Server 2 - public IP for example 193.91.200.20 - slave
>
> I have installed dnsdist, pdns and pdns-recursor latest versions. Below
> are my configs for dnsdist, pdns and pdns-recursor for both servers.
>
> Server 1: dnsdist.conf
> ---
> setLocal('193.91.200.10:53 ')
> setACL({'0.0.0.0/0 ', '::/0'})
>
> newServer({address='127.0.0.1:5300 ', pool='auth'})
> newServer({address='127.0.0.1:5301 ',
> pool='recursor'})
>
> recursive_ips = newNMG()
> recursive_ips:addMask('193.91.200.20/32 ')
>
> addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),
> QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))
>
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
> ---
>
> Server 1: pdns.conf
> ---
> allow-axfr-ips=193.91.200.10/32
> ,193.91.200.20/32
> daemon=no
> disable-axfr=no
> disable-tcp=no
> guardian=no
> launch=bind
> bind-config=/etc/pdns/named.conf
> bind-check-interval=300
> local-address=127.0.0.1
> local-port=5300
> master=yes
> setgid=pdns
> setuid=pdns
> ---
>
> Server 1: recursor.conf
> ---
> allow-from=127.0.0.0/8 , 10.0.0.0/8
> , 193.91.200.10/32 ,
> 193.91.200.20/32
> dont-query=127.0.0.0/8 , 10.0.0.0/8
> forward-zones=angelikarossos.com
> =127.0.0.1:5300
> local-address=127.0.0.1
> local-port=5301
> setgid=pdns-recursor
> setuid=pdns-recursor
> ---
>
> Server 1: named.conf
> ---
> options {
> directory "/var/named";
> listen-on { 127.0.0.1:5300 ; };
> allow-transfer { 193.91.200.10/32 ;
> 193.91.200.20/32 ; };
> };
>
> zone "angelikarossos.com " {
> type master;
> file "angelikarossos.com ";
> };
> ---
>
> Server 2: dnsdist.conf
> ---
> setLocal('193.91.200.20:53 ')
> setACL({'0.0.0.0/0 ', '::/0'})
>
> newServer({address='127.0.0.1:5300 ', pool='auth'})
> newServer({address='127.0.0.1:5301 ',
> pool='recursor'})
>
> recursive_ips = newNMG()
> recursive_ips:addMask('193.91.200.10/32 ')
>
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
> ---
>
> Server 2: pdns.conf
> ---
> allow-axfr-ips=193.91.200.10/32
> ,193.91.200.20/32
> daemon=no
> disable-axfr=no
> disable-tcp=no
> guardian=no
> launch=bind
> bind-config=/etc/pdns/named.conf
> bind-check-interval=300
> local-address=127.0.0.1
> local-port=5300
> setgid=pdns
> setuid=pdns
> slave=yes
> ---
>
> Server 2: recursor.conf
> ---
> allow-from=127.0.0.0/8 , 10.0.0.0/8
> , 193.91.200.10/32 ,
> 193.91.200.20/32
> dont-query=127.0.0.0/8 , 10.0.0.0/8
> forward-zones=angelikarossos.com
> =127.0.0.1:5300
> local-address=127.0.0.1
> local-port=5301
> setgid=pdns-recursor
> setuid=pdns-recursor
> ---
>
> Server 2: named.conf
> ---
> options {
> directory "/var/named";
> listen-on { 127.0.0.1:5300 ; };
> allow-transfer { 193.91.200.10/32 ;
> 193.91.200.20/32 ; };
> };
>
> zone "angelikarossos.com " {
> type slave;
> file "angelikarossos.com ";
> masters { 193.91.200.10; };
> };
> ---
>
> When I start services for dnsdist, pdns, pdns-recursor everything is
> working great instead AXFR zone transfer from master to slave. I have
> got such error information:
>
> Server 2:
> pdns_server[12447]: AXFR of domain 'angelikarossos.com
> ' initiated by 127.0.0.1
> pdns_server[12447]: AXFR of domain 'angelikarossos.com
> ' denied: client IP 127.0.0.1 has no permission
> pdns_server[12447]: AXFR of domain 'angelikarossos.com
> ' failed: 127.0.0.1 cann
