::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="127.0.0.0/8,::1";
::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
::arg().set("also-notify", "When notifying a domain, also notify these nameservers")="";
+ ::arg().set("allow-notify-from","Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.")="0.0.0.0/0,::/0";
::arg().set("slave-cycle-interval","Schedule slave freshness checks once every .. seconds")="60";
::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";
void CommunicatorClass::go()
{
+ try {
+ PacketHandler::s_allowNotifyFrom.toMasks(::arg()["allow-notify-from"] );
+ }
+ catch(PDNSException &e) {
+ L<<Logger::Error<<"Unparseable IP in allow-notify-from. Error: "<<e.reason<<endl;
+ exit(1);
+ }
+
pthread_t tid;
pthread_create(&tid,0,&launchhelper,this); // Starts CommunicatorClass::mainloop()
for(int n=0; n < ::arg().asNum("retrieval-threads", 1); ++n)
</para>
<para>Behaviour post 2.9.10: If set, only these IP addresses or netmasks will be able to perform AXFR.
</para>
- </listitem></varlistentry>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>allow-notify-from=...</term>
+ <listitem>
+ <para>
+ By specifying <command>allow-notify-from</command>, receiving AXFR NOTIFY can be restricted to netmasks specified. The default is to allow
+ AXFR NOTIFY from anywhere. Example: <command>allow-notify-from=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4</command>.
+ The default is 0.0.0.0,::/0. Setting this to an empty string will drop all incoming notifies. Available since 3.4.3.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>allow-recursion=...</term>
<listitem>
#endif
AtomicCounter PacketHandler::s_count;
+NetmaskGroup PacketHandler::s_allowNotifyFrom;
extern string s_programname;
enum root_referral {
L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
return RCode::NotImp;
}
+
+ if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
+ L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+ return RCode::Refused;
+ }
+
DNSBackend *db=0;
DomainInfo di;
di.serial = 0;
DNSBackend *getBackend();
int trySuperMasterSynchronous(DNSPacket *p);
+ static NetmaskGroup s_allowNotifyFrom;
private:
int trySuperMaster(DNSPacket *p);
#
# allow-dnsupdate-from=127.0.0.0/8,::1
+#################################
+# allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
#################################
# allow-recursion List of subnets that are allowed to recurse
#
projects / thirdparty / pdns.git / commitdiff
