Allow DNS updates from these IP ranges.
+## `allow-notify-from`
+* IP ranges, separated by commas
+* Default: 0.0.0.0/0,::/0
+* Available since: 3.5.0
+
+Allow AXFR NOTIFY from these IP ranges.
+Setting this to an empty string will drop all incoming notifies.
+
## `allow-recursion`
* IP ranges, separated by commas
::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="127.0.0.0/8,::1";
::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
::arg().set("also-notify", "When notifying a domain, also notify these nameservers")="";
+ ::arg().set("allow-notify-from","Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.")="0.0.0.0/0,::/0";
::arg().set("slave-cycle-interval","Schedule slave freshness checks once every .. seconds")="60";
::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";
void CommunicatorClass::go()
{
+ try {
+ PacketHandler::s_allowNotifyFrom.toMasks(::arg()["allow-notify-from"] );
+ }
+ catch(PDNSException &e) {
+ L<<Logger::Error<<"Unparseable IP in allow-notify-from. Error: "<<e.reason<<endl;
+ exit(1);
+ }
+
pthread_t tid;
pthread_create(&tid,0,&launchhelper,this); // Starts CommunicatorClass::mainloop()
for(int n=0; n < ::arg().asNum("retrieval-threads", 1); ++n)
#endif
AtomicCounter PacketHandler::s_count;
+NetmaskGroup PacketHandler::s_allowNotifyFrom;
extern string s_programname;
enum root_referral {
L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
return RCode::NotImp;
}
+
+ if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
+ L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+ return RCode::Refused;
+ }
+
DNSBackend *db=0;
DomainInfo di;
di.serial = 0;
UeberBackend *getBackend();
int trySuperMasterSynchronous(DNSPacket *p);
+ static NetmaskGroup s_allowNotifyFrom;
private:
int trySuperMaster(DNSPacket *p);
#
# allow-dnsupdate-from=127.0.0.0/8,::1
+#################################
+# allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
#################################
# allow-recursion List of subnets that are allowed to recurse
#
projects / thirdparty / pdns.git / commitdiff
