From 4ad2a1da1c78ebff547b835cd9967a2469703982 Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Thu, 14 Oct 2021 19:07:05 +0200 Subject: [PATCH] add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985 Signed-off-by: Michael Kaufmann --- admin_configfiles.php | 35 +++++++++++++++++-- .../Cli/Action/ConfigServicesAction.php | 35 +++++++++++++++++-- lib/configfiles/bionic.xml | 2 -- lib/configfiles/bullseye.xml | 2 -- lib/configfiles/buster.xml | 2 -- lib/configfiles/focal.xml | 2 -- lib/configfiles/gentoo.xml | 2 -- lib/configfiles/stretch.xml | 2 -- lib/configfiles/xenial.xml | 2 -- 9 files changed, 64 insertions(+), 20 deletions(-) diff --git a/admin_configfiles.php b/admin_configfiles.php index 1e14ddcf..594b7d2c 100644 --- a/admin_configfiles.php +++ b/admin_configfiles.php @@ -38,13 +38,43 @@ if ($userinfo['change_serversettings'] == '1') { // try to convert namserver hosts to ip's $ns_ips = ""; + $known_ns_ips = []; if (Settings::Get('system.nameservers') != '') { $nameservers = explode(',', Settings::Get('system.nameservers')); foreach ($nameservers as $nameserver) { $nameserver = trim($nameserver); + // DNS servers might be multi homed; allow transfer from all ip + // addresses of the DNS server $nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver); - if (is_array($nameserver_ips) && count($nameserver_ips) > 0) { - $ns_ips .= implode(",", $nameserver_ips); + // append dot to hostname + if (substr($nameserver, - 1, 1) != '.') { + $nameserver .= '.'; + } + // ignore invalid responses + if (! is_array($nameserver_ips)) { + // act like \Froxlor\PhpHelper::gethostbynamel6() and return unmodified hostname on error + $nameserver_ips = array( + $nameserver + ); + } else { + $known_ns_ips = array_merge($known_ns_ips, $nameserver_ips); + } + if (!empty($ns_ips)) { + $ns_ips .= ','; + } + $ns_ips .= implode(",", $nameserver_ips); + } + } + + // AXFR server + if (Settings::Get('system.axfrservers') != '') { + $axfrservers = explode(',', Settings::Get('system.axfrservers')); + foreach ($axfrservers as $axfrserver) { + if (!in_array(trim($axfrserver), $known_ns_ips)) { + if (!empty($ns_ips)) { + $ns_ips .= ','; + } + $ns_ips .= trim($axfrserver); } } } @@ -59,7 +89,6 @@ if ($userinfo['change_serversettings'] == '1') { '' => Settings::Get('system.ipaddress'), '' => Settings::Get('system.nameservers'), '' => $ns_ips, - '' => Settings::Get('system.axfrservers'), '' => Settings::Get('system.vmail_homedir'), '' => Settings::Get('system.vmail_uid'), '' => Settings::Get('system.vmail_gid'), diff --git a/lib/Froxlor/Cli/Action/ConfigServicesAction.php b/lib/Froxlor/Cli/Action/ConfigServicesAction.php index a425ac3d..8d6c5d68 100644 --- a/lib/Froxlor/Cli/Action/ConfigServicesAction.php +++ b/lib/Froxlor/Cli/Action/ConfigServicesAction.php @@ -341,13 +341,43 @@ class ConfigServicesAction extends \Froxlor\Cli\Action // try to convert namserver hosts to ip's $ns_ips = ""; + $known_ns_ips = []; if (Settings::Get('system.nameservers') != '') { $nameservers = explode(',', Settings::Get('system.nameservers')); foreach ($nameservers as $nameserver) { $nameserver = trim($nameserver); + // DNS servers might be multi homed; allow transfer from all ip + // addresses of the DNS server $nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver); - if (is_array($nameserver_ips) && count($nameserver_ips) > 0) { - $ns_ips .= implode(",", $nameserver_ips); + // append dot to hostname + if (substr($nameserver, - 1, 1) != '.') { + $nameserver .= '.'; + } + // ignore invalid responses + if (! is_array($nameserver_ips)) { + // act like \Froxlor\PhpHelper::gethostbynamel6() and return unmodified hostname on error + $nameserver_ips = array( + $nameserver + ); + } else { + $known_ns_ips = array_merge($known_ns_ips, $nameserver_ips); + } + if (!empty($ns_ips)) { + $ns_ips .= ','; + } + $ns_ips .= implode(",", $nameserver_ips); + } + } + + // AXFR server + if (Settings::Get('system.axfrservers') != '') { + $axfrservers = explode(',', Settings::Get('system.axfrservers')); + foreach ($axfrservers as $axfrserver) { + if (!in_array(trim($axfrserver), $known_ns_ips)) { + if (!empty($ns_ips)) { + $ns_ips .= ','; + } + $ns_ips .= trim($axfrserver); } } } @@ -365,7 +395,6 @@ class ConfigServicesAction extends \Froxlor\Cli\Action '' => Settings::Get('system.ipaddress'), '' => Settings::Get('system.nameservers'), '' => $ns_ips, - '' => Settings::Get('system.axfrservers'), '' => Settings::Get('system.vmail_homedir'), '' => Settings::Get('system.vmail_uid'), '' => Settings::Get('system.vmail_gid'), diff --git a/lib/configfiles/bionic.xml b/lib/configfiles/bionic.xml index b9a2c01d..fd7b22fd 100644 --- a/lib/configfiles/bionic.xml +++ b/lib/configfiles/bionic.xml @@ -388,7 +388,6 @@ exit "$RETVAL" # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -933,7 +932,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. diff --git a/lib/configfiles/bullseye.xml b/lib/configfiles/bullseye.xml index 73eefcd7..ff13ea85 100644 --- a/lib/configfiles/bullseye.xml +++ b/lib/configfiles/bullseye.xml @@ -377,7 +377,6 @@ exit "$RETVAL" # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -907,7 +906,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. diff --git a/lib/configfiles/buster.xml b/lib/configfiles/buster.xml index cb67bca9..f4fddd06 100644 --- a/lib/configfiles/buster.xml +++ b/lib/configfiles/buster.xml @@ -377,7 +377,6 @@ exit "$RETVAL" # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -907,7 +906,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. diff --git a/lib/configfiles/focal.xml b/lib/configfiles/focal.xml index 5a733992..f19bf6c4 100644 --- a/lib/configfiles/focal.xml +++ b/lib/configfiles/focal.xml @@ -375,7 +375,6 @@ exit "$RETVAL" # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -920,7 +919,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. diff --git a/lib/configfiles/gentoo.xml b/lib/configfiles/gentoo.xml index efeaf30b..8e9230f7 100644 --- a/lib/configfiles/gentoo.xml +++ b/lib/configfiles/gentoo.xml @@ -398,7 +398,6 @@ mail IN A # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -929,7 +928,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. diff --git a/lib/configfiles/stretch.xml b/lib/configfiles/stretch.xml index ce379257..3bb9eb23 100644 --- a/lib/configfiles/stretch.xml +++ b/lib/configfiles/stretch.xml @@ -377,7 +377,6 @@ exit "$RETVAL" # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -922,7 +921,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. diff --git a/lib/configfiles/xenial.xml b/lib/configfiles/xenial.xml index a353294e..2285b441 100644 --- a/lib/configfiles/xenial.xml +++ b/lib/configfiles/xenial.xml @@ -388,7 +388,6 @@ exit "$RETVAL" # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. @@ -933,7 +932,6 @@ gmysql-password= # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1, -# add these entries to the list if any specified: ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.