{ "SkipCacheAction", true, "", "Don’t lookup the cache for this query, don’t store the answer" },
{ "SkipCacheResponseAction", true, "", "Don’t store this response into the cache" },
{ "SNIRule", true, "name", "Create a rule which matches on the incoming TLS SNI value, if any (DoT or DoH)" },
- { "snmpAgent", true, "enableTraps [, masterSocket]", "enable `SNMP` support. `enableTraps` is a boolean indicating whether traps should be sent and `masterSocket` an optional string specifying how to connect to the master agent"},
+ { "snmpAgent", true, "enableTraps [, daemonSocket]", "enable `SNMP` support. `enableTraps` is a boolean indicating whether traps should be sent and `daemonSocket` an optional string specifying how to connect to the daemon agent"},
{ "SNMPTrapAction", true, "[reason]", "send an SNMP trap, adding the optional `reason` string as the query description"},
{ "SNMPTrapResponseAction", true, "[reason]", "send an SNMP trap, adding the optional `reason` string as the response description"},
{ "SpoofAction", true, "ip|list of ips [, options]", "forge a response with the specified IPv4 (for an A query) or IPv6 (for an AAAA). If you specify multiple addresses, all that match the query type (A, AAAA or ANY) will get spoofed in" },
g_useTCPSinglePipe = flag;
});
- luaCtx.writeFunction("snmpAgent", [client,configCheck](bool enableTraps, boost::optional<std::string> masterSocket) {
+ luaCtx.writeFunction("snmpAgent", [client,configCheck](bool enableTraps, boost::optional<std::string> daemonSocket) {
if(client || configCheck)
return;
#ifdef HAVE_NET_SNMP
g_snmpEnabled = true;
g_snmpTrapsEnabled = enableTraps;
- g_snmpAgent = new DNSDistSNMPAgent("dnsdist", masterSocket ? *masterSocket : std::string());
+ g_snmpAgent = new DNSDistSNMPAgent("dnsdist", daemonSocket ? *daemonSocket : std::string());
#else
errlog("NET SNMP support is required to use snmpAgent()");
g_outputBuffer="NET SNMP support is required to use snmpAgent()\n";
#endif /* HAVE_NET_SNMP */
}
-DNSDistSNMPAgent::DNSDistSNMPAgent(const std::string& name, const std::string& masterSocket): SNMPAgent(name, masterSocket)
+DNSDistSNMPAgent::DNSDistSNMPAgent(const std::string& name, const std::string& daemonSocket): SNMPAgent(name, daemonSocket)
{
#ifdef HAVE_NET_SNMP
class DNSDistSNMPAgent: public SNMPAgent
{
public:
- DNSDistSNMPAgent(const std::string& name, const std::string& masterSocket);
+ DNSDistSNMPAgent(const std::string& name, const std::string& daemonSocket);
bool sendBackendStatusChangeTrap(const std::shared_ptr<DownstreamState>&);
bool sendCustomTrap(const std::string& reason);
bool sendDNSTrap(const DNSQuestion&, const std::string& reason="");
AXFR, IXFR and NOTIFY
=====================
-When :program:`dnsdist` is deployed in front of a master authoritative server, it might receive
-AXFR or IXFR queries destined to this master. There are two issues that can arise in this kind of setup:
+When :program:`dnsdist` is deployed in front of a primary authoritative server, it might receive
+AXFR or IXFR queries destined to this primary. There are two issues that can arise in this kind of setup:
-- If the master is part of a pool of servers, the first `SOA` query can be directed
+- If the primary is part of a pool of servers, the first `SOA` query can be directed
by :program:`dnsdist` to a different server than the following AXFR/IXFR one, which might fail if the servers
are not perfectly synchronised.
-- If the master only allows AXFR/IXFR based on the source address of the requestor,
+- If the primary only allows AXFR/IXFR based on the source address of the requestor,
it might be confused by the fact that the source address will be the one from the :program:`dnsdist` server.
-The first issue can be solved by routing SOA, AXFR and IXFR requests explicitly to the master::
+The first issue can be solved by routing SOA, AXFR and IXFR requests explicitly to the primary::
- newServer({address="192.168.1.2", name="master", pool={"master", "otherpool"}})
- addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("master"))
+ newServer({address="192.168.1.2", name="primary", pool={"primary", "otherpool"}})
+ addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("primary"))
The second one might require allowing AXFR/IXFR from the :program:`dnsdist` source address
and moving the source address check to :program:`dnsdist`'s side::
Before 1.4.0, the QTypes were in the ``dnsdist`` namespace. Use ``dnsdist.AXFR`` and ``dnsdist.IXFR`` in these versions.
Before 1.4.0, the RCodes were in the ``dnsdist`` namespace. Use ``dnsdist.REFUSED`` in these versions.
-When :program:`dnsdist` is deployed in front of slaves, however, an issue might arise with NOTIFY
-queries, because the slave will receive a notification coming from the :program:`dnsdist` address,
-and not the master's one. One way to fix this issue is to allow NOTIFY from the :program:`dnsdist`
-address on the slave side (for example with PowerDNS's `trusted-notification-proxy`) and move the address
+When :program:`dnsdist` is deployed in front of secondaries, however, an issue might arise with NOTIFY
+queries, because the secondary will receive a notification coming from the :program:`dnsdist` address,
+and not the primary's one. One way to fix this issue is to allow NOTIFY from the :program:`dnsdist`
+address on the secondary side (for example with PowerDNS's `trusted-notification-proxy`) and move the address
check to :program:`dnsdist`'s side::
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("192.168.1.0/24"))}), RCodeAction(DNSRCode.REFUSED))
:pullreq: 5328
:tickets: 5327
- Handle SNMP alarms so we can reconnect to the master.
+ Handle SNMP alarms so we can reconnect to the daemon.
.. change::
:tags: New Features
.. versionadded:: 1.2.0
-.. function:: snmpAgent(enableTraps [, masterSocket])
+.. function:: snmpAgent(enableTraps [, daemonSocket])
Enable SNMP support.
:param bool enableTraps: Indicates whether traps should be sent
- :param string masterSocket: A string specifying how to connect to the master agent. This is a file path to a unix socket, but e.g. ``tcp:localhost:705`` can be used as well. By default, SNMP agent's default socket is used.
+ :param string daemonSocket: A string specifying how to connect to the daemon agent. This is a file path to a unix socket, but e.g. ``tcp:localhost:705`` can be used as well. By default, SNMP agent's default socket is used.
.. function:: sendCustomTrap(message)
#endif /* HAVE_NET_SNMP */
}
-SNMPAgent::SNMPAgent(const std::string& name, const std::string& masterSocket)
+SNMPAgent::SNMPAgent(const std::string& name, const std::string& daemonSocket)
{
#ifdef HAVE_NET_SNMP
netsnmp_enable_subagent();
snmp_disable_log();
- if (!masterSocket.empty()) {
+ if (!daemonSocket.empty()) {
netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_AGENT_X_SOCKET,
- masterSocket.c_str());
+ daemonSocket.c_str());
}
/* no need to load any MIBS,
and it causes import errors if some modules are not present */
/* we use select() so don't use SIGALARM to handle alarms.
Note that we need to handle alarms for automatic reconnection
- to the master to work.
+ to the daemon to work.
*/
netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_ALARM_DONT_USE_SIG,
class SNMPAgent
{
public:
- SNMPAgent(const std::string& name, const std::string& masterSocket);
+ SNMPAgent(const std::string& name, const std::string& daemonSocket);
virtual ~SNMPAgent()
{
#ifdef HAVE_NET_SNMP
-# act as an Agent X master so that dnsdist can export SNMP statistics
+# act as an Agent X daemon so that dnsdist can export SNMP statistics
master agentx
-# allow dnsdist to connect to the Agent X master socket
+# allow dnsdist to connect to the Agent X daemon socket
agentxperms 0700 0755 dnsdist
# SNMPv2c community
name = 'servfailrate.dynblocks.tests.powerdns.com.'
self.doTestRCodeRate(name, dns.rcode.SERVFAIL)
-class TestDynBlockWhitelist(DynBlocksTest):
+class TestDynBlockAllowlist(DynBlocksTest):
_dynBlockQPS = 10
_dynBlockPeriod = 2
_dynBlockDuration = 5
_config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort']
_config_template = """
- whitelisted = false
+ allowlisted = false
function maintenance()
toBlock = exceedQRate(%d, %d)
for addr, count in pairs(toBlock) do
if addr:toString() == "127.0.0.1" then
- whitelisted = true
+ allowlisted = true
toBlock[addr] = nil
end
end
end
function spoofrule(dq)
- if (whitelisted)
+ if (allowlisted)
then
return DNSAction.Spoof, "192.0.2.42"
else
return DNSAction.None, ""
end
end
- addAction("whitelisted-test.dynblocks.tests.powerdns.com.", LuaAction(spoofrule))
+ addAction("allowlisted-test.dynblocks.tests.powerdns.com.", LuaAction(spoofrule))
newServer{address="127.0.0.1:%s"}
"""
- def testWhitelisted(self):
+ def testAllowlisted(self):
"""
- Dyn Blocks: Whitelisted from the dynamic blocks
+ Dyn Blocks: Allowlisted from the dynamic blocks
"""
- name = 'whitelisted.dynblocks.tests.powerdns.com.'
+ name = 'allowlisted.dynblocks.tests.powerdns.com.'
query = dns.message.make_query(name, 'A', 'IN')
response = dns.message.make_response(query)
rrset = dns.rrset.from_text(name,
self.assertEquals(query, receivedQuery)
self.assertEquals(receivedResponse, receivedResponse)
- # check that we would have been blocked without the whitelisting
- name = 'whitelisted-test.dynblocks.tests.powerdns.com.'
+ # check that we would have been blocked without the allowlisting
+ name = 'allowlisted-test.dynblocks.tests.powerdns.com.'
query = dns.message.make_query(name, 'A', 'IN')
# dnsdist set RA = RD for spoofed responses
query.flags &= ~dns.flags.RD
projects / thirdparty / pdns.git / commitdiff
