maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2021-10-14 19:07:05 +02:00
parent 37ae69f07a
commit 4ad2a1da1c
9 changed files with 64 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
admin_configfiles.php
View File

@@ -38,13 +38,43 @@ if ($userinfo['change_serversettings'] == '1') {
// try to convert namserver hosts to ip's // try to convert namserver hosts to ip's
$ns_ips = ""; $ns_ips = "";
$known_ns_ips = [];
if (Settings::Get('system.nameservers') != '') { if (Settings::Get('system.nameservers') != '') {
$nameservers = explode(',', Settings::Get('system.nameservers')); $nameservers = explode(',', Settings::Get('system.nameservers'));
foreach ($nameservers as $nameserver) { foreach ($nameservers as $nameserver) {
$nameserver = trim($nameserver); $nameserver = trim($nameserver);
// DNS servers might be multi homed; allow transfer from all ip
// addresses of the DNS server
$nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver); $nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver);
if (is_array($nameserver_ips) && count($nameserver_ips) > 0) { // append dot to hostname
$ns_ips .= implode(",", $nameserver_ips); if (substr($nameserver, - 1, 1) != '.') {
$nameserver .= '.';
}
// ignore invalid responses
if (! is_array($nameserver_ips)) {
// act like \Froxlor\PhpHelper::gethostbynamel6() and return unmodified hostname on error
$nameserver_ips = array(
$nameserver
);
} else {
$known_ns_ips = array_merge($known_ns_ips, $nameserver_ips);
}
if (!empty($ns_ips)) {
$ns_ips .= ',';
}
$ns_ips .= implode(",", $nameserver_ips);
}
}
// AXFR server
if (Settings::Get('system.axfrservers') != '') {
$axfrservers = explode(',', Settings::Get('system.axfrservers'));
foreach ($axfrservers as $axfrserver) {
if (!in_array(trim($axfrserver), $known_ns_ips)) {
if (!empty($ns_ips)) {
$ns_ips .= ',';
}
$ns_ips .= trim($axfrserver);
} }
} }
} }
@@ -59,7 +89,6 @@ if ($userinfo['change_serversettings'] == '1') {
'<SERVERIP>' => Settings::Get('system.ipaddress'), '<SERVERIP>' => Settings::Get('system.ipaddress'),
'<NAMESERVERS>' => Settings::Get('system.nameservers'), '<NAMESERVERS>' => Settings::Get('system.nameservers'),
'<NAMESERVERS_IP>' => $ns_ips, '<NAMESERVERS_IP>' => $ns_ips,
'<AXFRSERVERS>' => Settings::Get('system.axfrservers'),
'<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'), '<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'),
'<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'), '<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'),
'<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'), '<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'),

35
lib/Froxlor/Cli/Action/ConfigServicesAction.php
View File

@@ -341,13 +341,43 @@ class ConfigServicesAction extends \Froxlor\Cli\Action
// try to convert namserver hosts to ip's // try to convert namserver hosts to ip's
$ns_ips = ""; $ns_ips = "";
$known_ns_ips = [];
if (Settings::Get('system.nameservers') != '') { if (Settings::Get('system.nameservers') != '') {
$nameservers = explode(',', Settings::Get('system.nameservers')); $nameservers = explode(',', Settings::Get('system.nameservers'));
foreach ($nameservers as $nameserver) { foreach ($nameservers as $nameserver) {
$nameserver = trim($nameserver); $nameserver = trim($nameserver);
// DNS servers might be multi homed; allow transfer from all ip
// addresses of the DNS server
$nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver); $nameserver_ips = \Froxlor\PhpHelper::gethostbynamel6($nameserver);
if (is_array($nameserver_ips) && count($nameserver_ips) > 0) { // append dot to hostname
$ns_ips .= implode(",", $nameserver_ips); if (substr($nameserver, - 1, 1) != '.') {
$nameserver .= '.';
}
// ignore invalid responses
if (! is_array($nameserver_ips)) {
// act like \Froxlor\PhpHelper::gethostbynamel6() and return unmodified hostname on error
$nameserver_ips = array(
$nameserver
);
} else {
$known_ns_ips = array_merge($known_ns_ips, $nameserver_ips);
}
if (!empty($ns_ips)) {
$ns_ips .= ',';
}
$ns_ips .= implode(",", $nameserver_ips);
}
}
// AXFR server
if (Settings::Get('system.axfrservers') != '') {
$axfrservers = explode(',', Settings::Get('system.axfrservers'));
foreach ($axfrservers as $axfrserver) {
if (!in_array(trim($axfrserver), $known_ns_ips)) {
if (!empty($ns_ips)) {
$ns_ips .= ',';
}
$ns_ips .= trim($axfrserver);
} }
} }
} }
@@ -365,7 +395,6 @@ class ConfigServicesAction extends \Froxlor\Cli\Action
'<SERVERIP>' => Settings::Get('system.ipaddress'), '<SERVERIP>' => Settings::Get('system.ipaddress'),
'<NAMESERVERS>' => Settings::Get('system.nameservers'), '<NAMESERVERS>' => Settings::Get('system.nameservers'),
'<NAMESERVERS_IP>' => $ns_ips, '<NAMESERVERS_IP>' => $ns_ips,
'<AXFRSERVERS>' => Settings::Get('system.axfrservers'),
'<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'), '<VIRTUAL_MAILBOX_BASE>' => Settings::Get('system.vmail_homedir'),
'<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'), '<VIRTUAL_UID_MAPS>' => Settings::Get('system.vmail_uid'),
'<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'), '<VIRTUAL_GID_MAPS>' => Settings::Get('system.vmail_gid'),

2
lib/configfiles/bionic.xml
View File

@@ -388,7 +388,6 @@ exit "$RETVAL"
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -933,7 +932,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.

2
lib/configfiles/bullseye.xml
View File

@@ -377,7 +377,6 @@ exit "$RETVAL"
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -907,7 +906,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.

2
lib/configfiles/buster.xml
View File

@@ -377,7 +377,6 @@ exit "$RETVAL"
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -907,7 +906,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.

2
lib/configfiles/focal.xml
View File

@@ -375,7 +375,6 @@ exit "$RETVAL"
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -920,7 +919,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.

2
lib/configfiles/gentoo.xml
View File

@@ -398,7 +398,6 @@ mail IN A <SERVERIP>
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -929,7 +928,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.

2
lib/configfiles/stretch.xml
View File

@@ -377,7 +377,6 @@ exit "$RETVAL"
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -922,7 +921,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.

2
lib/configfiles/xenial.xml
View File

@@ -388,7 +388,6 @@ exit "$RETVAL"
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
@@ -933,7 +932,6 @@ gmysql-password=
# allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips Allow zonetransfers only to these subnets
# #
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.