Limit who can send us AXFR notify queries

Fixes #1937 and #1120

(cherry picked from commit d207ad6)

Author: rubenk

pdns/common_startup.cc

@@ -98,6 +98,7 @@ void declareArguments()
   ::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="127.0.0.0/8,::1";
   ::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
   ::arg().set("also-notify", "When notifying a domain, also notify these nameservers")="";
+  ::arg().set("allow-notify-from","Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.")="0.0.0.0/0,::/0";
   ::arg().set("slave-cycle-interval","Schedule slave freshness checks once every .. seconds")="60";
 
   ::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";

pdns/communicator.cc

@@ -56,6 +56,14 @@ void CommunicatorClass::retrievalLoopThread(void)
 
 void CommunicatorClass::go()
 {
+  try {
+    PacketHandler::s_allowNotifyFrom.toMasks(::arg()["allow-notify-from"] );
+  }
+  catch(PDNSException &e) {
+    L<<Logger::Error<<"Unparseable IP in allow-notify-from. Error: "<<e.reason<<endl;
+    exit(1);
+  }
+
   pthread_t tid;
   pthread_create(&tid,0,&launchhelper,this); // Starts CommunicatorClass::mainloop()
   for(int n=0; n < ::arg().asNum("retrieval-threads", 1); ++n)

pdns/docs/pdns.xml

@@ -17397,7 +17397,18 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
 	    </para>
 	    <para>Behaviour post 2.9.10: If set, only these IP addresses or netmasks will be able to perform AXFR.
 	    </para>
-	  </listitem></varlistentry>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term>allow-notify-from=...</term>
+	  <listitem>
+	    <para>
+	      By specifying <command>allow-notify-from</command>, receiving AXFR NOTIFY can be restricted to netmasks specified. The default is to allow
+	      AXFR NOTIFY from anywhere. Example: <command>allow-notify-from=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4</command>.
+	      The default is 0.0.0.0,::/0. Setting this to an empty string will drop all incoming notifies. Available since 3.4.3.
+	    </para>
+	  </listitem>
+	</varlistentry>
 	<varlistentry>
 	  <term>allow-recursion=...</term>
 	  <listitem>

pdns/packethandler.cc

@@ -50,6 +50,7 @@
 #endif 
 
 AtomicCounter PacketHandler::s_count;
+NetmaskGroup PacketHandler::s_allowNotifyFrom;
 extern string s_programname;
 
 enum root_referral {
@@ -756,6 +757,12 @@ int PacketHandler::processNotify(DNSPacket *p)
     L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
     return RCode::NotImp;
   }
+
+  if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
+    L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+    return RCode::Refused;
+  }
+
   DNSBackend *db=0;
   DomainInfo di;
   di.serial = 0;

pdns/packethandler.hh

@@ -64,6 +64,7 @@ public:
   DNSBackend *getBackend();
 
   int trySuperMasterSynchronous(DNSPacket *p);
+  static NetmaskGroup s_allowNotifyFrom;
 
 private:
   int trySuperMaster(DNSPacket *p);

pdns/pdns.conf-dist

@@ -9,6 +9,11 @@
 #
 # allow-dnsupdate-from=127.0.0.0/8,::1
 
+#################################
+# allow-notify-from	Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
 #################################
 # allow-recursion	List of subnets that are allowed to recurse
 #