[solved] Add IP address to allow-transfer which is not a nameserver

[halfgaar]

Hi,

 

I need to add an IP address to the match list in allow-transfer for each zone which is not a DNS server. Normally, Froxlor generates this list by what you've defined as nameservers in the control panel, but the webhost which offers secondary DNS servers has a separate server which imports DNS records but which does not serve DNS itself. Because of that, I can't enter it as nameserver in Froxlor, and it is not allowed to do AXFR.

 

I tried defining a allow-transfer list in named.conf.options, but it seems the lists in froxlor_bind.conf overrides that, because I still get access denied's in the logs for the IPs in question.

 

So, how do I allow IP's access that are not defined as nameservers in Froxlor? Or, how do I allow all IPs access?

[CoCo]

halfgaar

 

I'd like to note a thing or two about adress matching in bind, since from your posting I got the impression that you misunderstood the matching mechanism.

 

Address matching in bind stops at the first matching entry in the adress matching list, where the predefined named adress "none" is the negation of another predefined named adress: "any".

 

So by using, for example:

 

allow-transfer { "none"; 192.168.0.3/32; };

 

you'd be telling bind to do:

 

allow-transfer { !"any"; 192.168.0.3/32; };

 

As a result, no one is allowed to AXFR. On the other hand putting "none" at the end of the adress matching list is superflouos, since, as the lists name implies, anything not explicitly allowed once the allow-transfer list is configured, will be forbidden to AXFR, anyway.

 

 

One example for the ways one can do foot shooting with adress matching lists is the following one:

 

allow-transfer { 192.168.0/24; !192.168.0.3/32; };

 

Which will allow 192.168.0.3/32 to AXFR, despite the negation.

 

 

 

To answer one of your other questions: options in zone statements always take precedence over those in the server options.

 

 

MfG CoCo

Edit: Typo fixed

[halfgaar]

Thanks, that indeed clarifies it for me.

[d00p]

not possible at the moment as far as i remember. either wait for the DNS-rewrite which is currently being worked at or patch Froxlor yourself

[atari]

you could set a global transfer option in the bind config

[halfgaar]

I did, I specified an allow-transfer list in named.conf.options, but I don't really get why it doesn't work. The bind docs say this:

 

allow-transfer defines a match list e.g. IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). The default behaviour is to allow zone transfers to any host.

 

It goes on to say that:

 

However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by XFER requests, then use the following policy:

 

options {

....

// ban everyone by default

allow-transfer {"none";};

};

...

zone "example.com" in{

....

// explicity allow the slave(s) in each zone

allow-transfer (192.168.0.3;);

};

 

This leads me to conclude that allow-transfer always works for all IPs, unless you define an "allow-transfer {"none";" and then a white list. I have defined no such thing, yet the logs keep showing AXFR access denied, even when I put an "allow-transfer" block in named.conf.options.

 

It seems that the allow-transfer statement in froxlor_bind.conf replaces the list of allowed IP addresses, including the allow-all default. Can anyone confirm that? Does specifying an allow-list, without saying "allow: none" first, disable Bind's allow-all default?