From 2f679523bc90c7f896dd6750c754e591759fe242 Mon Sep 17 00:00:00 2001
From: Ruben Kerkhof <ruben@rubenkerkhof.com>
Date: Sun, 14 Dec 2014 15:19:55 +0100
Subject: [PATCH] Limit who can send us AXFR notify queries

Fixes #1937 and #1120

(cherry picked from commit d207ad630ba2c98c922c8ca31b35d973b2e6b756)
---
 pdns/common_startup.cc |  1 +
 pdns/communicator.cc   |  8 ++++++++
 pdns/docs/pdns.xml     | 13 ++++++++++++-
 pdns/packethandler.cc  |  7 +++++++
 pdns/packethandler.hh  |  1 +
 pdns/pdns.conf-dist    |  5 +++++
 6 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 1df40bec70..30976a6b7e 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -98,6 +98,7 @@ void declareArguments()
   ::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="127.0.0.0/8,::1";
   ::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
   ::arg().set("also-notify", "When notifying a domain, also notify these nameservers")="";
+  ::arg().set("allow-notify-from","Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.")="0.0.0.0/0,::/0";
   ::arg().set("slave-cycle-interval","Schedule slave freshness checks once every .. seconds")="60";
 
   ::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";
diff --git a/pdns/communicator.cc b/pdns/communicator.cc
index 41e7e56ca7..e5160e1215 100644
--- a/pdns/communicator.cc
+++ b/pdns/communicator.cc
@@ -56,6 +56,14 @@ void CommunicatorClass::retrievalLoopThread(void)
 
 void CommunicatorClass::go()
 {
+  try {
+    PacketHandler::s_allowNotifyFrom.toMasks(::arg()["allow-notify-from"] );
+  }
+  catch(PDNSException &e) {
+    L<<Logger::Error<<"Unparseable IP in allow-notify-from. Error: "<<e.reason<<endl;
+    exit(1);
+  }
+
   pthread_t tid;
   pthread_create(&tid,0,&launchhelper,this); // Starts CommunicatorClass::mainloop()
   for(int n=0; n < ::arg().asNum("retrieval-threads", 1); ++n)
diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 5599d5a208..df45dc692d 100644
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -17397,7 +17397,18 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
 	    </para>
 	    <para>Behaviour post 2.9.10: If set, only these IP addresses or netmasks will be able to perform AXFR.
 	    </para>
-	  </listitem></varlistentry>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term>allow-notify-from=...</term>
+	  <listitem>
+	    <para>
+	      By specifying <command>allow-notify-from</command>, receiving AXFR NOTIFY can be restricted to netmasks specified. The default is to allow
+	      AXFR NOTIFY from anywhere. Example: <command>allow-notify-from=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4</command>.
+	      The default is 0.0.0.0,::/0. Setting this to an empty string will drop all incoming notifies. Available since 3.4.3.
+	    </para>
+	  </listitem>
+	</varlistentry>
 	<varlistentry>
 	  <term>allow-recursion=...</term>
 	  <listitem>
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 01e409b567..1ab5118a02 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -50,6 +50,7 @@
 #endif 
  
 AtomicCounter PacketHandler::s_count;
+NetmaskGroup PacketHandler::s_allowNotifyFrom;
 extern string s_programname;
 
 enum root_referral {
@@ -756,6 +757,12 @@ int PacketHandler::processNotify(DNSPacket *p)
     L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
     return RCode::NotImp;
   }
+
+  if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
+    L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+    return RCode::Refused;
+  }
+
   DNSBackend *db=0;
   DomainInfo di;
   di.serial = 0;
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index fc6014abb0..b03a46e586 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -64,6 +64,7 @@ public:
   DNSBackend *getBackend();
 
   int trySuperMasterSynchronous(DNSPacket *p);
+  static NetmaskGroup s_allowNotifyFrom;
 
 private:
   int trySuperMaster(DNSPacket *p);
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 39f7b37aa4..8c8a737a04 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -9,6 +9,11 @@
 #
 # allow-dnsupdate-from=127.0.0.0/8,::1
 
+#################################
+# allow-notify-from	Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+
 #################################
 # allow-recursion	List of subnets that are allowed to recurse
 #
-- 
2.47.2