Aki Tuomi [Thu, 13 Aug 2015 06:44:17 +0000 (09:44 +0300)]
Use separate setting for supermaster and notify
This allows enforcing signed supermaster notifications,
but retains compability with possible external nameservers
that do not support signed notifications.
Remi Gacogne [Tue, 19 Jan 2016 09:25:42 +0000 (10:25 +0100)]
dnsdist: Do not create socket/thread for fake DS in client mode
While parsing the configuration in client mode, we create a fake
DownstreamState for each newServer() call, because we need it to
return a valid DownstreamState object. Unfortunately this leads
to the creation of a socket for 0.0.0.0, and a subsequent
connection attempt.
We now detect that the address does not make sense in this context
and do not create the associated socket.
Closes #3257.
Pieter Lexis [Fri, 15 Jan 2016 17:00:26 +0000 (18:00 +0100)]
Fix the forward zones in the recursor
In the pre-DNSName era, when dns-native names were passed as strings, we
overloaded the NS-name for a forward or auth zone. e.g. an empty string
meant 'this is an auth zone' and '+203.0.113.1' meant 'forward to 203.0.113.1
with the RD bit set'. With DNSNames, this is impossible (yay!).
In this commit, the set of strings (and later DNSNames), is replaced by
a map where a DNSName is the key and the value is a pair of a
ComboAddress and a boolean.
A non-empty DNSName: This is a normal NS, recurse as usual (the pair is
ignored).
An empty DNSName and empty ComboAddress: We are auth for this zone,
check the auth store for an answer.
An empty DNSName and non-empty ComboAddress: The query must be forwarded
to the ComboAddress specified and the boolean in the pair tells us the
value of the RD bit in the query we need to send.
bert hubert [Sat, 16 Jan 2016 11:48:53 +0000 (12:48 +0100)]
found with the help of @mischapeters - turns out our recent 'supply local address to lua' improvements triggered us to set the source address on all our replies explicitly, something FreeBSD did not like and was wasteful on Linux. Plus added some logging that would have helped debug this faster.
Remi Gacogne [Fri, 15 Jan 2016 11:00:01 +0000 (12:00 +0100)]
dnsdist: Implement DNSAction.Spoof. Support IPv6-only SpoofAction
DNSAction.Spoof can be used to return a spoofed response from
a Lua rule. It supports an IPv4 (A), IPv6 (AAAA) or a DNSName
(CNAME).
SpoofAction() can be used IPv6-only, by passing a IPv6 as the
first parameter. It now supports spoofing IPv4-only, IPv6-only,
IPv4 and IPv6, and CNAME.
Closes #3064.
Remi Gacogne [Thu, 14 Jan 2016 11:57:33 +0000 (12:57 +0100)]
dnsdist: Replace the Lua params with a DNSQuestion `dq` object
In order to:
1. Be able to add functions/member without breaking the API
2. Being as compatible as possible with the PowerDNS Lua API
To limit the parsing/copy to a minimum, this DNSQuestion differs
from the PowerDNS one. Most Lua members are properly wrapped,
but it currently lacks some advanced functions like `getRecords()`
or `setRecords()`, that we might add later.
In addition to the existing `tostring()`, this commit adds
`toString()` ones to match the PowerDNS syntax.
LuaWrapper is supposed to support read-only members, where you
only define the getter and no setter, but I can't find the right
syntax for that to work, so for now the setter are present for
read-only members, and just do nothing.
Remi Gacogne [Wed, 13 Jan 2016 16:54:54 +0000 (17:54 +0100)]
dnsdist: Remove remote images in the webserver index
- Remove the github link/image
- Add the powerdns logo to the html directory
- Add handling for PNG files in the webserver
- Edit the CSP policy to only allows local images
- Explicitely asks jQuery not to use JSONP while fetching the stats
Remi Gacogne [Tue, 12 Jan 2016 15:00:36 +0000 (16:00 +0100)]
dnsdist: Add basic CORS support in the webserver
Now that we have removed JSONP support, we need to support
Cross-Origin Resource Sharing (CORS) to allow web pages not served
by our webserver to access our JSON REST API (well, stats).
- Remove the jsonp callback, using simple json data instead (Fixes #3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
* X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
* X-Frame-Options: deny to prevent clickjacking
* X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
* X-XSS-Protection: 1; mode=block to mitigate XSS
* Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
a basic CSP policy to restrict which scripts and CSS can be loaded
projects / pdns / log