Permalink
Browse files

Limit who can send us AXFR notify queries

Fixes #1937 and #1120

(cherry picked from commit d207ad6)
  • Loading branch information...
1 parent 59eb25c commit 2f679523bc90c7f896dd6750c754e591759fe242 @rubenk rubenk committed Dec 14, 2014
Showing with 34 additions and 1 deletion.
  1. +1 −0 pdns/common_startup.cc
  2. +8 −0 pdns/communicator.cc
  3. +12 −1 pdns/docs/pdns.xml
  4. +7 −0 pdns/packethandler.cc
  5. +1 −0 pdns/packethandler.hh
  6. +5 −0 pdns/pdns.conf-dist
@@ -98,6 +98,7 @@ void declareArguments()
::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="127.0.0.0/8,::1";
::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
::arg().set("also-notify", "When notifying a domain, also notify these nameservers")="";
+ ::arg().set("allow-notify-from","Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.")="0.0.0.0/0,::/0";
::arg().set("slave-cycle-interval","Schedule slave freshness checks once every .. seconds")="60";
::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";
@@ -56,6 +56,14 @@ void CommunicatorClass::retrievalLoopThread(void)
void CommunicatorClass::go()
{
+ try {
+ PacketHandler::s_allowNotifyFrom.toMasks(::arg()["allow-notify-from"] );
+ }
+ catch(PDNSException &e) {
+ L<<Logger::Error<<"Unparseable IP in allow-notify-from. Error: "<<e.reason<<endl;
+ exit(1);
+ }
+
pthread_t tid;
pthread_create(&tid,0,&launchhelper,this); // Starts CommunicatorClass::mainloop()
for(int n=0; n < ::arg().asNum("retrieval-threads", 1); ++n)
View
@@ -17397,7 +17397,18 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
</para>
<para>Behaviour post 2.9.10: If set, only these IP addresses or netmasks will be able to perform AXFR.
</para>
- </listitem></varlistentry>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>allow-notify-from=...</term>
+ <listitem>
+ <para>
+ By specifying <command>allow-notify-from</command>, receiving AXFR NOTIFY can be restricted to netmasks specified. The default is to allow
+ AXFR NOTIFY from anywhere. Example: <command>allow-notify-from=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4</command>.
+ The default is 0.0.0.0,::/0. Setting this to an empty string will drop all incoming notifies. Available since 3.4.3.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>allow-recursion=...</term>
<listitem>
@@ -50,6 +50,7 @@
#endif
AtomicCounter PacketHandler::s_count;
+NetmaskGroup PacketHandler::s_allowNotifyFrom;
extern string s_programname;
enum root_referral {
@@ -756,6 +757,12 @@ int PacketHandler::processNotify(DNSPacket *p)
L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
return RCode::NotImp;
}
+
+ if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
+ L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+ return RCode::Refused;
+ }
+
DNSBackend *db=0;
DomainInfo di;
di.serial = 0;
@@ -64,6 +64,7 @@ public:
DNSBackend *getBackend();
int trySuperMasterSynchronous(DNSPacket *p);
+ static NetmaskGroup s_allowNotifyFrom;
private:
int trySuperMaster(DNSPacket *p);
View
@@ -10,6 +10,11 @@
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
+# allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
+#################################
# allow-recursion List of subnets that are allowed to recurse
#
# allow-recursion=0.0.0.0/0

0 comments on commit 2f67952

Please sign in to comment.