why self-notification?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

why self-notification?

geohei
Hi.

PowerDNS newbie question (sorry). syslog shows (anonymized):

May 15 19:51:46 gany pdns[30950]: 1 domain for which we are master needs
notifications
May 15 19:51:46 gany pdns[30950]: Queued notification of domain
'ddns.mydomain.com' to 185.3.195.46
May 15 19:51:46 gany pdns[30950]: Remote 185.3.195.46 wants
'ddns.mydomain.com|SOA', do = 0, bufsize = 512: packetcache MISS
May 15 19:51:46 gany pdns[30950]: Received NOTIFY for ddns.mydomain.com
from 185.3.195.46 but slave support is disabled in the configuration
May 15 19:51:47 gany pdns[30950]: Received unsuccessful notification
report for 'ddns.mydomain.com' from 185.3.195.46:53, rcode: 4
May 15 19:51:47 gany pdns[30950]: Removed from notification list:
'ddns.mydomain.com' to 185.3.195.46:53
May 15 19:51:49 gany pdns[30950]: No master domains need notifications

What is the basic reason that PowerDNS wants to notify itself in a
master/slave setup?

Thanks,
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

bert hubert-3
On Mon, May 16, 2016 at 04:18:39AM -0700, geohei wrote:
> Hi.
>
> PowerDNS newbie question (sorry). syslog shows (anonymized):

Which version do you run? We made a mode to prevent self-notification in
3.3.

Hope this helps!

        Bert
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

geohei
Yes, 3.3.
But "prevent-self-notification=yes" still triggers self notifications.
Why were they implemented at a first place?
I don't see the usefullness.
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

bert hubert-3
On Mon, May 16, 2016 at 04:25:08AM -0700, geohei wrote:
> Yes, 3.3.
> But "prevent-self-notification=yes" still triggers self notifications.
> Why were they implemented at a first place?

It goes like this. A nameserver figures out who claims to be authoritative
for a domain, and then gathers the IP addresses to notify them. From this
list, it is not clear which of those addresses are ours. We need to filter
them out.

There is no system call that says "give me all the IP addresses that are
authoritative for this domain". I can only determine all addresses and then
try to prevent sending a query to ourselves.

I hope this is clear.

If you want help solving your spurious log lines, I need complete and real
non-anonimized data on this list.

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ 

        Bert
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

geohei
Hi.

I read your link about publishing real FQDNs an IPs, however I'm very reluctant to this ... I explain ... I'm not the super pro (as you noticed already) in this subject and I don't really know about the full range of potential consequences. I see already now some AXFR attempts from IPs from parts of the world, where I know that none of my users is or was at this place. I also do fully understand that you are willing to help (thank you!) but you need data to feed the machine (clear!). I take this more or less as a challenge to figure out by myself what goes wrong and why. I just would need some kicks in the right direction.

As far as I understood, the master server checks the MNAME field of the SOA and doesn't send a NOTIFY to this NS server (id est it takes it out from the list of NS records found in the master server's database), since this would result in a self notification. So ... PowerDNS shouldn't notify itself even without the "prevent-self-notification=yes" option, right?

Thanks,
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

geohei
Forgot to add this as reference when and how the slave is notified ...

----- cut here -----

DNS NOTIFY works like this: when a primary master name server notices that the serial number of a zone has changed, it sends a special announcement to all of the slave name servers for that zone. The primary master name server determines which servers are the slaves for the zone by looking at the list of NS records in the zone and taking out the record that points to the name server listed in the MNAME field of the zone's SOA record as well as the domain name of the local host.

----- cut here -----

So for my case ... I don't understand (the principle) why the master keeps on getting notified ?!

----- cut here -----

0|0|mydomain.com|SOA|mydomain.com root.mydomain.com 132244 86400 10800 604800 180|180||||
1|0|mydomain.com|MX|mydomain.com|86400|10|||
2|0|mydomain.com|NS|mydomain.com|86400||||
5|0|mydomain.com|CNAME|my.dyndns.home.address|86400||||
6|0|paul.mydomain.com|A|11.22.33.44|60||||

----- cut here -----
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

David-2
In reply to this post by geohei
On 2016-05-18 1:33 PM, geohei wrote:

> Hi.
>
> I read your link about publishing real FQDNs an IPs, however I'm very
> reluctant to this ... I explain ... I'm not the super pro (as you noticed
> already) in this subject and I don't really know about the full range of
> potential consequences. I see already now some AXFR attempts from IPs from
> parts of the world, where I know that none of my users is or was at this
> place. I also do fully understand that you are willing to help (thank you!)
> but you need data to feed the machine (clear!). I take this more or less as
> a challenge to figure out by myself what goes wrong and why. I just would
> need some kicks in the right direction.

This type of traffic is really common. You'll see all sorts of things
trying to do AXFRs from you, DDNS updates, etc. You're probably only
noticing it now because you've been looking into this issue/paying
attention to it.


>
> As far as I understood, the master server checks the MNAME field of the SOA
> and doesn't send a NOTIFY to this NS server (id est it takes it out from the
> list of NS records found in the master server's database), since this would
> result in a self notification. So ... PowerDNS shouldn't notify itself even
> without the "prevent-self-notification=yes" option, right?
>
> Thanks,


_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

geohei
On 2016-05-18 22:50, David-2 wrote:

> This type of traffic is really common. You'll see all sorts of things
> trying to do AXFRs from you, DDNS updates, etc. You're probably only
> noticing it now because you've been looking into this issue/paying
> attention to it.

You are probably 100% right! I still don't have the "feeling" about what is normal and what isn't. You guys here know very well what's considered to by "normal" and what does into the malicious direction. Me not (yet).
Reply | Threaded
Open this post in threaded view
|

Re: why self-notification?

geohei
This post has NOT been accepted by the mailing list yet.

I continued digging into this subject. self-notification seemed to be addressed a couple of times via bug fixes as Google revealed.

The major point is, that I could not find out how PowerDNS figures out, when to avoid self-notification, meaning than when it operates in master mode, how it determines from the list of NS records, who it is itself.

Nothing found in PowerDNS docs, not meaning it wouldn't be there (somewhere).

The only reference I had was this:
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_03.htm

My database should however fulfill these requirements (I changed the database a bit from previous post above [added ns1. in the NS name]).

0|0|ddns.mydomain.com|SOA|ns1.ddns.mydomain.com. root.ddns.mydomain.com. 144706 86400 10800 604800 180|180||||
2|0|ddns.mydomain.com|NS|ns1.ddns.mydomain.com|86400||||
5|0|ns1.ddns.mydomain.com|CNAME|geohei.dyndns.home.address|86400||||
6|0|paul.mydomain.com|A|11.22.33.44|60||||

As you see, NS record content "ns1.ddns.mydomain.com" can be found in MNAME field of SOA record "ns1.ddns.mydomain.com.".

Here the pdns.conf

----- cut here -----
allow-axfr-ips=127.0.0.1
allow-recursion=127.0.0.1
config-dir=/etc/powerdns
daemon=yes
disable-axfr=no
guardian=yes
include-dir=/etc/powerdns/pdns.d
local-address=192.168.1.88
local-port=53
log-dns-details=yes
loglevel=9
log-dns-queries=yes
master=yes
module-dir=/usr/lib/powerdns
setgid=pdns
setuid=pdns
socket-dir=/var/run
version-string=powerdns
webserver=yes
webserver-address=192.168.1.88
webserver-port=8081
----- cut here -----

So ... bottom line ...
How does PowerDNS master server figure out who it is itself?

Thanks,