From d207ad630ba2c98c922c8ca31b35d973b2e6b756 Mon Sep 17 00:00:00 2001
From: Ruben Kerkhof <ruben@rubenkerkhof.com>
Date: Sun, 14 Dec 2014 15:19:55 +0100
Subject: [PATCH] Limit who can send us AXFR notify queries

Fixes #1937 and #1120
---
 docs/markdown/authoritative/settings.md | 8 ++++++++
 pdns/common_startup.cc                  | 1 +
 pdns/communicator.cc                    | 8 ++++++++
 pdns/packethandler.cc                   | 7 +++++++
 pdns/packethandler.hh                   | 1 +
 pdns/pdns.conf-dist                     | 5 +++++
 6 files changed, 30 insertions(+)

diff --git a/docs/markdown/authoritative/settings.md b/docs/markdown/authoritative/settings.md
index 9ede9c072a..923bf4eddd 100644
--- a/docs/markdown/authoritative/settings.md
+++ b/docs/markdown/authoritative/settings.md
@@ -22,6 +22,14 @@ If set, only these IP addresses or netmasks will be able to perform AXFR.
 
 Allow DNS updates from these IP ranges.
 
+## `allow-notify-from`
+* IP ranges, separated by commas
+* Default: 0.0.0.0/0,::/0
+* Available since: 3.5.0
+
+Allow AXFR NOTIFY from these IP ranges.
+Setting this to an empty string will drop all incoming notifies.
+
 ## `allow-recursion`
 * IP ranges, separated by commas
 
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index ac9256d8e6..edd9313caf 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -101,6 +101,7 @@ void declareArguments()
   ::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="127.0.0.0/8,::1";
   ::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
   ::arg().set("also-notify", "When notifying a domain, also notify these nameservers")="";
+  ::arg().set("allow-notify-from","Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.")="0.0.0.0/0,::/0";
   ::arg().set("slave-cycle-interval","Schedule slave freshness checks once every .. seconds")="60";
 
   ::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";
diff --git a/pdns/communicator.cc b/pdns/communicator.cc
index b2b29b6b9d..ea22b1bacd 100644
--- a/pdns/communicator.cc
+++ b/pdns/communicator.cc
@@ -56,6 +56,14 @@ void CommunicatorClass::retrievalLoopThread(void)
 
 void CommunicatorClass::go()
 {
+  try {
+    PacketHandler::s_allowNotifyFrom.toMasks(::arg()["allow-notify-from"] );
+  }
+  catch(PDNSException &e) {
+    L<<Logger::Error<<"Unparseable IP in allow-notify-from. Error: "<<e.reason<<endl;
+    exit(1);
+  }
+
   pthread_t tid;
   pthread_create(&tid,0,&launchhelper,this); // Starts CommunicatorClass::mainloop()
   for(int n=0; n < ::arg().asNum("retrieval-threads", 1); ++n)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 651beb1384..1d444bfcd2 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -50,6 +50,7 @@
 #endif 
  
 AtomicCounter PacketHandler::s_count;
+NetmaskGroup PacketHandler::s_allowNotifyFrom;
 extern string s_programname;
 
 enum root_referral {
@@ -773,6 +774,12 @@ int PacketHandler::processNotify(DNSPacket *p)
     L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
     return RCode::NotImp;
   }
+
+  if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
+    L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+    return RCode::Refused;
+  }
+
   DNSBackend *db=0;
   DomainInfo di;
   di.serial = 0;
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 3e7fe522d8..dda2ed7bba 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -63,6 +63,7 @@ public:
   UeberBackend *getBackend();
 
   int trySuperMasterSynchronous(DNSPacket *p);
+  static NetmaskGroup s_allowNotifyFrom;
 
 private:
   int trySuperMaster(DNSPacket *p);
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 7ba8d59085..9b8b80e05b 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -9,6 +9,11 @@
 #
 # allow-dnsupdate-from=127.0.0.0/8,::1
 
+#################################
+# allow-notify-from	Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
 #################################
 # allow-recursion	List of subnets that are allowed to recurse
 #
-- 
2.47.2