From: Bert Hubert Date: Sat, 16 Jul 2005 11:25:38 +0000 (+0000) Subject: documentation, ldap fixes for bug #17 X-Git-Tag: pdns-2.9.18~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a0f9e64e56a78a8d86263a18dffbadc064e1b8d;p=thirdparty%2Fpdns.git documentation, ldap fixes for bug #17 git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@448 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/modules/ldapbackend/ldapbackend.cc b/modules/ldapbackend/ldapbackend.cc index 9c7444bcc1..a8071042ca 100644 --- a/modules/ldapbackend/ldapbackend.cc +++ b/modules/ldapbackend/ldapbackend.cc @@ -125,11 +125,14 @@ inline bool LdapBackend::list_simple( const string& target, int domain_id ) { string dn; string filter; + string qesc; - // search for SOARecord of target dn = getArg( "basedn" ); - filter = "(associatedDomain=" + target + ")"; + qesc = toLower( m_pldap->escape( target ) ); + + // search for SOARecord of target + filter = strbind( ":target:", "(associatedDomain=" + qesc + ")", getArg( "filter-axfr" ) ); m_msgid = m_pldap->search( dn, LDAP_SCOPE_SUBTREE, filter, (const char**) ldap_attrany ); m_pldap->getSearchEntry( m_msgid, m_result, true ); @@ -140,7 +143,7 @@ inline bool LdapBackend::list_simple( const string& target, int domain_id ) } prepare(); - filter = "(associatedDomain=*." + target + ")"; + filter = strbind( ":target:", "(associatedDomain=*." + qesc + ")", getArg( "filter-axfr" ) ); DLOG( L << Logger::Debug << m_myname << " Search = basedn: " << dn << ", filter: " << filter << endl ); m_msgid = m_pldap->search( dn, LDAP_SCOPE_SUBTREE, filter, (const char**) ldap_attrany ); @@ -212,6 +215,8 @@ void LdapBackend::lookup_simple( const QType &qtype, const string &qname, DNSPac attributes = attronly; } + filter = strbind( ":target:", filter, getArg( "filter-lookup" ) ); + DLOG( L << Logger::Debug << m_myname << " Search = basedn: " << getArg( "basedn" ) << ", filter: " << filter << ", qtype: " << qtype.getName() << endl ); m_msgid = m_pldap->search( getArg( "basedn" ), LDAP_SCOPE_SUBTREE, filter, (const char**) attributes ); } @@ -255,6 +260,8 @@ void LdapBackend::lookup_strict( const QType &qtype, const string &qname, DNSPac } } + filter = strbind( ":target:", filter, getArg( "filter-lookup" ) ); + DLOG( L << Logger::Debug << m_myname << " Search = basedn: " << getArg( "basedn" ) << ", filter: " << filter << ", qtype: " << qtype.getName() << endl ); m_msgid = m_pldap->search( getArg( "basedn" ), LDAP_SCOPE_SUBTREE, filter, (const char**) attributes ); } @@ -270,7 +277,7 @@ void LdapBackend::lookup_tree( const QType &qtype, const string &qname, DNSPacke vector parts; - qesc = toLower( qname ); + qesc = toLower( m_pldap->escape( qname ) ); filter = "(associatedDomain=" + qesc + ")"; if( qtype.getCode() != QType::ANY ) @@ -281,6 +288,8 @@ void LdapBackend::lookup_tree( const QType &qtype, const string &qname, DNSPacke attributes = attronly; } + filter = strbind( ":target:", filter, getArg( "filter-lookup" ) ); + stringtok( parts, qesc, "." ); for( i = parts.rbegin(); i != parts.rend(); i++ ) { @@ -488,6 +497,8 @@ public: declare( suffix, "binddn", "User dn for non anonymous binds","" ); declare( suffix, "secret", "User password for non anonymous binds", "" ); declare( suffix, "method", "How to search entries (simple, strict or tree)", "simple" ); + declare( suffix, "filter-axfr", "LDAP filter for limiting AXFR results", ":target:" ); + declare( suffix, "filter-lookup", "LDAP filter for limiting IP or name lookups", ":target:" ); declare( suffix, "disable-ptrrecord", "Depricated, use ldap-method=strict instead", "no" ); } diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml index 62ccb5bcdb..297c626971 100644 --- a/pdns/docs/pdns.sgml +++ b/pdns/docs/pdns.sgml @@ -83,7 +83,7 @@ Version 2.9.18 - Released on the 14th of July 2005. + Released on the 16th of July 2005. The '8 million domains' release, which also marks the battle readiness of the PowerDNS Recursor. The latest improvements have been made possible @@ -91,8 +91,8 @@ XS4ALL. Thanks! - This release brings a number of new features, - but also has a new build dependency, the Boost library. + This release brings a number of new features (vastly improved recursor, Generic Oracle Support, DNS analysis and replay tools, and more) + but also has a new build dependency, the Boost library (version 1.31 or higher). Currently several big ISPs are evaluating the PowerDNS recursor for their resolving needs, some of them have switched already. @@ -106,35 +106,52 @@ We invite ISPs who note recursor problems to record their problematic traffic and replay it using the tools described in to discover if PowerDNS does a better job, and to let us know the results. + + Additionally, the bind2backend is almost ready to replace the stock bind backend. If you run with Bind zones, you are cordially invited + to substitute 'launch=bind2' for 'launch=bind'. This will happen automatically in 2.9.19! + In other news, the entire Wikipedia constellation now runs on PowerDNS using the Geo Backend! Thanks to Mark Bergsma for keeping us updated. - General bugs fixed: + There are two bugs with security implications, which only apply to installations running with the LDAP backend, or installations providing recursion + to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised: - TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky) + The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, + but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot) - Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky) + Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. + This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and + not a denial of a domain's existence. + + + + General bugs fixed: + - Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno. + TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky) - Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. - This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and - not a denial of a domain's existence. + Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky) + + + Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno. + + + Master/slave queries did not honour the query-local-address setting. Spotted by David Levy of Register.com. @@ -337,7 +354,6 @@ for more details. - Generic Oracle Backend, sponsored by Register.COM. See . @@ -4076,9 +4092,28 @@ name IN A 1.2.3.4 Security - As of the 5th of February 2005, no actual security problems with PowerDNS 2.9.17 or later are known about. This page + As of the 16th of July 2005, no actual security problems with PowerDNS 2.9.18 or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications - will also be sent to all PowerDNS mailinglists and BUGTRAQ. + will also be sent to all PowerDNS mailinglists. + + + All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion + to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised: + + + + The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, + but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot) + + + + + Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. + This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and + not a denial of a domain's existence. + + + All versions of PowerDNS before 2.9.17 are known to suffer from remote denial of service problems which can disrupt operation. Please upgrade @@ -5375,7 +5410,7 @@ local0.err /var/log/pdns.err Only compiles on Linux, FreeBSD 5.x, Windows and possibly Solaris. FreeBSD 4.x decided not to support the POSIX get/set/swapcontext functions. Bug your favorite FreeBSD kernel or libc maintainer for a fix, or ask him to port MTasker (see below) to your operating system. It may work on recent 4.x systems, - letus know! + let us know! May have big problems with truncated packets (solved in 2.9.18) @@ -6827,37 +6862,42 @@ Feb 10 14:16:03 stats: 125784 questions, 13971 cache entries, 309 negative entri Tools to analyse DNS traffic - - DNS is highly mission critical, it is therefore necessary to be able to study and compare DNS traffic. Since 2.9.18, PowerDNS comes - with three tools to aid in analysis: - - - dnsreplay pcapfile [ipaddress] [port number] - - - This program takes recorded questions and answers and replays them to a specified nameserver and reporting afterwards - which percentage of answers matched, were worse or better. - - - - - dnswasher pcapfile output - - - Anonymises recorded traffic, making sure it only contains DNS, and that the originating IP addresses of queries are stripped, which may - allow you to send traces to our company or mailing list without violating obligations towards your customers or privacy laws. - - - - - dnsscope pcapfile - - Calculates statistics without replaying traffic - - - - + DNS is highly mission critical, it is therefore necessary to be able to study and compare DNS traffic. Since 2.9.18, PowerDNS comes + with three tools to aid in analysis: + + + As of 2.9.18 these tools are somewhat rough - they have no help messages for example. They do work though. + + + + + dnsreplay pcapfile [ipaddress] [port number] + + + This program takes recorded questions and answers and replays them to a specified nameserver and reporting afterwards + which percentage of answers matched, were worse or better. + + + + + dnswasher pcapfile output + + + Anonymises recorded traffic, making sure it only contains DNS, and that the originating IP addresses of queries are stripped, which may + allow you to send traces to our company or mailing list without violating obligations towards your customers or privacy laws. + + + + + dnsscope pcapfile + + + Calculates statistics without replaying traffic + + + + Backends in detail @@ -8821,9 +8861,20 @@ insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) select RE LDAP backend + + + + This documentation has moved to its own page. The information in this chapter + may be outdated! + + The main author for this module is Norbert Sendetzky who also has his own PowerDNS-LDAP page. + + He also maintains the LDAP backends documentation there. The information + below may be outdated! + LDAP backend capabilities