[nsd-users] Poison in AXFR transport from Windows Server DNS

Richard Kuchar r.kuchar at 1art.cz
Thu Dec 23 08:21:38 UTC 2010


Hi Ondrej,

I try to find this option without success. So I create a small script
called nsd-xfer-eve (located behind nsd-xfer):

<script>
#!/bin/bash

## Run nsd-xfer in standard way
/usr/sbin/nsd-xfer $*
# Remember exit status
EXIT_STATUS=$?

## Now do some magic on arguments
ZONE=`echo $* | sed "s/.*-z[\ ]*// ; s/[\ ].*//g"`
AXFR_FILE=`echo $* | sed "s/.*-f[\ ]*// ; s/[\ ].*//g"`

if [[ "$EXIT_STATUS" == "3" ]]
then
	echo "$ZONE"
	exit $EXIT_STATUS
fi

if [ ! -f $AXFR_FILE ]
then
	exit $EXIT_STATUS
fi

mv $AXFR_FILE $AXFR_FILE.2ck
echo > $AXFR_FILE
POISON=0

IFS_OLD=$IFS
IFS=$'\n'
for LINE in `cat $AXFR_FILE.2ck`
do
	
	if [[ "$LINE" == *\$ORIGIN* ]]	
	then
		if [[ "$ZONE." == *`echo $LINE | sed 's/$ORIGIN //g'`* ]]
		then
			echo "$LINE" >> $AXFR_FILE;
			POISON=0
		else
			POISON=1
		fi
	else
		if (( POISON == 0 ))
		then
			echo "$LINE" >> $AXFR_FILE;
		fi
	fi
done

# CleanUp
rm $AXFR_FILE.2ck
IFS=$IFS_OLD

exit $EXIT_STATUS
</script>

In debian, nsdc use conf file /etc/default/nsd. So I change the option
"nsdxfer" to this script. Now nsdc call as xfer nsd-xfer-eve script
which do POISON zone control and remove after AXFR transfer.
It's not the best solution and script is not wrote in best way. But now
it's fast and work.
Maybe they inspire you to do this inside nsdc.

-- 
Best Regards!

Richar Kuchar
1st ART Studio s.r.o.
Koněvova 1271/101
Praha 3, 130 00

On 11/14/2010 11:13 AM, Ondřej Surý wrote:
> Hi Richard,
> 
> I would guess that there would be an option on Microsoft DNS to not
> inject those lines into the zone transfer, but if there is not, then
> you can try to run it from a cron using script like this:
> 
> #!/bin/bash
> set -e
> TMPFILE1=$(mktemp zone.XXXXXX)
> dig IN AXFR @windows_primary zone > $TMPFILE1
> TMPFILE2=$(mktemp zone.XXXXXX)
> < $TMPFILE1 grep -v "remove_the_poison" > $TMPFILE2
> cp $TMPFILE2 $ZONEFILE
> rndc reload
> # temp files are retained if something goes wrong
> rm -f $TMPFILE1 $TMPFILE2
> 
> Ondrej
> 
> On Fri, Nov 12, 2010 at 17:33, Richard Kuchar <r.kuchar at 1art.cz> wrote:
>> Hi,
>>
>> more primary DNS servers. Thers no problem using it with BIND primary
>> server. However AXFR transfer from primary Windows Server 200(3|8) DNS
>> servers include poison A entry like:
>>
>> ; NSD version 2.3.7
>> ; zone 'domain.tld.'   first transfer
>> ; from 1.2.3.4 using AXFR at Fri Nov 12 17:18:53 2010
>> ; NOT TSIG verified
>> $ORIGIN tld.
>> domain        3600    IN      SOA     ns.windows.tld.
>> hostmaster.domain.tld. ( 73 900 600 86400 3600 )
>>        3600    IN      NS      ns.windows.tld.
>>        3600    IN      NS      ns2.nsd.tld.
>>
>> ...
>>
>> $ORIGIN windows.tld.
>> ns      3600    IN      A       1.2.3.4
>> $ORIGIN nsd.tld.
>> ns2     3600    IN      A       10.20.30.40
>> $ORIGIN domain.tld.
>>
>>
>> That A entry in transfered data cause compile error in zonec.
>> Both (zonec and nsd-xfer) are called by nsdc.
>>
>> Is there any solution to discard this poison entry on transfer?
>>
>> --
>> Best Regards!
>>
>> Richar Kuchar
>> 1st ART Studio s.r.o.
>> Koněvova 1271/101
>> Praha 3, 130 00
>> _______________________________________________
>> nsd-users mailing list
>> nsd-users at NLnetLabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>>
> 
> 
> 



More information about the nsd-users mailing list