Tinydns package and zone transfers quagmire



  • Hi,

    tinydns package configuration has an option:
    "
    Zone transfers
    Hosts allowed to perform DNS Zone Transfers - Note: this requires TCP port 53 firewall permit rule!
    "
    which makes us assume that tinydns supports zone transfers. I agree that big blocks of data are sent via TCP and not UDP for DNS protocol. But the following option should be removed from config, to prevent other people loosing their time, trying to set up tinydns zone transfers. I too, lost two days configuring my systems to be able to transfer zones from pfsense tinydns install to bind as a slave, but failed. The reason is simple. Tinydns doesn't support zone transfers:
    "
    http://cr.yp.to/djbdns/tinydns.html
    Further details
    tinydns rejects zone-transfer requests, inverse queries, non-Internet-class queries, truncated packets, and packets that contain anything other than a single query.
    tinydns, like BIND, includes NS records with answers to most queries. This increases DNS packet sizes, but it draws queries away from parent servers, and reduces the frequency of long DNS delays. With the default tinydns-data cache times, a client that uses a normal record at least once every day will always have the corresponding NS records cached and will never have to talk to parent servers.
    "

    So please remove this option from the package.



  • …or maybe a better option would be to fix Zone Transers  ;)

    I have been trying on and off for months to make this work, and your post about tinydns not supporting zone transfers got me to search for "tinydns zone transfer".  The first thing I found was this:

    http://cr.yp.to/djbdns/tcp.html

    Working my way through the steps there, I was able to get zone transfers working.  So other don't have to figure this all out by themselves, here is the major missing part to Zone Transfers on pfSense:

    0. Enable zone transfers in the web interface - this will mostly setup the axfrdns service.

    1. Add the IP addresses and zones that are allowed:

    echo '192.168.1.1:allow' > /etc/axfrdns/tcp
    echo '192.168.1.2:allow,AXFR="mydomain.tld" >> /etc/axfrdns/tcp
    

    2. Build the tcpserver database:

    cd /etc/axfrdns
    tcprules tcp.cdb tcp.tmp < tcp
    

    At this point zone transfers will work.  (or at least they did for me on 1.2.3-RC1)

    Now for bonus points, why not just fix it so zone transfers in the tinydns package in pfSense just work.  Attached is an updated tinydns.inc file.  scp it into /usr/local/pkg and you will be able to setup zone transfers from the web GUI.

    Here are some highlights of what I fixed:

    1. Actually call tinydns_setup_axfrdns() - this function creates and compiles /etc/axfrdns/tcp.  I called it from tinydns_custom_php_changeip_command() right afterexec("/usr/local/bin/axfrdns-conf Gaxfrdns Gdnslog /etc/axfrdns /etc/tinydns {$dnsserverip}");

    2. In tinydns_setup_axfrdns(), write $zonet to the file, not $zone - otherwise you get a file full of newlines.

    3. At the end of tinydns_setup_axfrdns(), call the correct command to build the tcpservice database.

    tinydns.inc.txt



  • If found another bug in tinydns_setup_axfrdns().  There was no ":deny" line so it was allowing all hosts to do zone transfers.  Attached is an updated fix.

    tinydns.inc.txt


  • Rebel Alliance Developer Netgate

    Xaox - patches are always a bonus, thanks for taking the time to help.

    You might want to open a ticket on http://redmine.pfsense.org under packages and attach your patches there. It would be more likely to catch a developer's eye there.



  • jimp - I have opened a bug.

    I still may not be able to get this working after all.  I can use "dig" to do a test zone transfer, but BIND 9.3 can't slave the zone.  I think I read something about a bug in BIND that axfrdns can't/won't cope with that causes the zone transfers to fail.

    At this point I'm thinking of giving up on tinydns and installing BIND using pkg_add.


Log in to reply