PF and DNS Zone Transfer

M

markfisher

Hi

I have setup set up two DNS servers, one acts as master and the other as slave. Without Packet Filter (PF) enabled on both machines, zone transfer from master to slave works perfectly. Enabling PF on the master only, a zone transfer works. Now my problem is enabling PF filter on both master and slave machine: zone transfers fail.

  • Without PF -> zone transfer works
  • Enabling PF on master only -> zone transfer works
  • Enabling PF on both master and slave -> zone transfer never happens (fails)

Can someone please help me out on why the zone transfer fails after enabling PF on slave?

Slave PF configuration:
Code: 
if = "myif0"
master = "master_dns_ip"
clients = "{my_clients_ip/XX}" # [B]includes master_dns_ip[/B]

set skip on lo0

scrub on $if all no-df random-id min-ttl 30 max-mss 1500 fragment drop-ovl reassemble tcp

block all
antispoof quick for {lo0 $if} inet
pass in on $if inet proto {tcp, udp} from $clients to ($if) port 53 keep state
pass out on $if inet proto {tcp, udp} from ($if) to $master port 53 keep state

Thanks
 
Zone transfers use tcp/53. Make sure you allow these in/out, depending on the DNS server (master: in, slave: out). If that fails, turn logging on on your block rule(s), enable pflog in /etc/rc.conf, and troubleshoot by running tcpdump on interface pflog0.
 
@DutchDaemon, thanks for your message.

Is there any difference between
Code: 
pass in on $if inet proto {tcp, udp} from $clients to [B]($if)[/B] port 53 keep state
and
Code: 
my_ip = "XXX.XXX.XXX" # IP address I setup in rc.conf using inet
pass in on $if inet proto {tcp, udp} from $clients to [B]$my_ip[/B] port 53 keep state

Because the zone transfer is working when I use ($if). When I'm using IP address, zone transfer fails.

Also in order for master to send the NOTIFY on zone change, I had to enable master: out (to slave) and salve: in on PF.

Thanks
 
Last edited by a moderator:
Yeah, sorry about the direction. I forgot that the master pushes the transfer to the slave over tcp/53 when the slave's zone information is out of date.

I'm not sure why the IP address doesn't work, but one usually denotes the interface using an interface name or an IP or network attached to it (e.g. $if:0) anyway.

You can always use pfctl -sr and pfctl -sn to see how rules actually look after expansion.
 
You must log in or register to reply here.
Back
Top