operasoftware / dns-ui Goto Github PK

Hi all

First thank your for this great job.

Could someone guide me with the installation in Centos 7? I already have working pdns and recursor working in the last version, and apache as well. Mysql is running fine.

Hi,

I am on the master branch. I noticed if I request a split zone (in my case I am splitting the zone "168.192.in-addr.arpa" into smaller zones), I get an error from the web UI. When I check the web server logs I see the following messages:

[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: exception 'ErrorException' with message 'Indirect modification of overloaded property Zone::$dnssec has no effect' in /home/dns-web/model/zonedirectory.php:49, referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: Stack trace:, referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: #0 /home/dns-web/model/zonedirectory.php(49): exception_error_handler(8, 'Indirect modifi...', '/home/dns-web.d...', 49, Array), referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: #1 /home/dns-web/model/zonedirectory.php(108): ZoneDirectory->add_zone(Object(Zone)), referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: #2 /home/dns-web/views/zonesplit.php(72): ZoneDirectory->create_zone(Object(Zone)), referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: #3 /home/dns-web/requesthandler.php(64): require('/home/dns-web...'), referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: #4 /home/dns-web/public_html/init.php(18): require('/home/dns-web...'), referer: https://dns-web/zones/168.192.in-addr.arpa/split
[:error] [pid 2006] [client 192.168.34.231:12898] 1528867401: #5 {main}, referer: https://dns-web/zones/168.192.in-addr.arpa/split

I've configured my haproxy to deal with https stuff and forward the "/pdns" requests to an apache virtualhost.
If I request https//mysite.com/pdns I got redirected to
https//mysite.com/zones
not
https//mysite.com/pdns/zones
even if in my config file I put
baseurl = https://mysite.com/pdns

Thanks a lot

I can log in, but the zones page gives me an error saying "Oops! Something went wrong!".

The PHP-FPM error log says:

[21-May-2018 22:28:47 UTC] 1526941727: Pest_NotFound: {"error":"Not Found"} in /home/dnsui/Pest.php:311
[21-May-2018 22:28:47 UTC] 1526941727: Stack trace:
[21-May-2018 22:28:47 UTC] 1526941727: #0 /home/dnsui/Pest.php(268): Pest->checkLastResponseForError()
[21-May-2018 22:28:47 UTC] 1526941727: #1 /home/dnsui/Pest.php(154): Pest->doRequest(Resource id #23)
[21-May-2018 22:28:47 UTC] 1526941727: #2 /home/dnsui/powerdns.php(30): Pest->get('zones', Array, Array)
[21-May-2018 22:28:47 UTC] 1526941727: #3 /home/dnsui/model/zonedirectory.php(129): PowerDNS->get('zones')
[21-May-2018 22:28:47 UTC] 1526941727: #4 /home/dnsui/model/user.php(219): ZoneDirectory->list_zones()
[21-May-2018 22:28:47 UTC] 1526941727: #5 /home/dnsui/views/zones.php(18): User->list_accessible_zones()
[21-May-2018 22:28:47 UTC] 1526941727: #6 /home/dnsui/requesthandler.php(64): require('/home/dnsui/vie...')
[21-May-2018 22:28:47 UTC] 1526941727: #7 /home/dnsui/public_html/init.php(18): require('/home/dnsui/req...')
[21-May-2018 22:28:47 UTC] 1526941727: #8 {main}

The pdns API seems to be working:

curl -D - -H 'X-API-Key: apikeyhere' -X GET http://127.0.0.1:8081/servers/localhost/zones
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
Connection: close
Content-Length: 2
Content-Type: application/json
Server: PowerDNS/3.4.11

[]

I haven't set up any zones yet, I was planning on using the UI for that, so [] seems correct. Any ideas?

In what is almost certainly a case of bad string/integer comparison, attempting to delete a record 0 from eg. the zone 2.0.192.in-addr.arpa results in an error message:
"Tried to update a non-existent resource recordset: 2.0.192.in-addr.arpa PTR."

When a zone is very large (displayed over multiple pages), adding an RR to an RRset that is currently not shown (ie. is on a different page to the one being shown) will result in a confusing display where the primary RRset row (with the name and type rowspan) is not shown, but the newly added row is shown.

The suggested scheme in https://tools.ietf.org/html/rfc2317 is to have zone names such as 128/26.2.0.192.in-addr.arpa. to represent the range 192.0.2.128/26.

There are at least 3 DNS UI bugs related to having / in the zone name:

• Git-tracked-export files cannot be created due to / in file path.
• Apache by default will respond with 404 to any request with a %-encoded / (%2F) in unless AllowEncodedSlashes is specifically set. We want it to be set to NoDecode, though this means we cannot support this under Apache 2.2.
• Display of such zones in the zone list is broken ("IPv4 prefix" and "Subnet" columns).

Would be nice if more than just Pgsql was supported. Ideally (if it doesn't already) the frontend would purely use the PowerDNS API and support either DBMS for config/changelog storage etc...

Thanks for this nice PowerDNS frontend.

Our team would like to use this nice project with a peer-review work flow where all users could submit changes for review, including global and zone admins. Admins would still be allowed to save changes immediately or maybe a configuration flag could configure the behavior.

I have identified some bits of code that would need change, but I am unsure if these changes would be enough or they might bring problems.

diff --git a/templates/zone.php b/templates/zone.php
index 5105c74..d40fb8e 100644
--- a/templates/zone.php
+++ b/templates/zone.php
@@ -203,6 +203,7 @@ global $output_formatter;
                                <div id="errors"></div>
                                <?php if($active_user->admin || $active_user->access_to($zone) == 'administrator') { ?>
                                <p><button type="submit" id="zonesubmit" name="update_rrs" value="save" class="btn btn-primary">Save changes</button></p>
+                               <p><button type="submit" id="zonesubmit" name="update_rrs" value="request" class="btn btn-primary">Request changes</button></p>
                                <?php } else { ?>
                                <p><button type="submit" id="zonesubmit" name="update_rrs" value="request" class="btn btn-primary">Request changes</button></p>
                                <?php } ?>
diff --git a/views/zone.php b/views/zone.php
index dcd7c2c..284db9c 100644
--- a/views/zone.php
+++ b/views/zone.php
@@ -69,7 +69,7 @@ if($_SERVER['REQUEST_METHOD'] == 'POST') {
                foreach($_POST['updates'] as $update) {
                        $json->actions[] = json_decode($update);
                }
-               if($active_user->admin || $active_user->access_to($zone) == 'administrator') {
+               if($_POST['update_rrs'] == 'save' && ($active_user->admin || $active_user->access_to($zone) == 'administrator')) {
                        try {
                                $zone->process_bulk_json_rrset_update(json_encode($json));
                                redirect();

I did not setup a test environment yet but if other people are interested in this feature, I could test and submit a PR.

When adding multiple records, if one is in wrong format, al update fails an all input lost.

EX: Record a.pipo.com./CNAME 'pepe.com': Not in expected format (parsed as 'pepe.com.')

If I understand the functional workings and code correct, every time a record is added, a check is performed if a reverse zone exists, and if it does and doesn't have a reverse record already, it will create one.

If this is indeed the workings, then I think it'd be nice if this was configurable. That way you can choose if you want to have the system automatically create reverse DNS records for you or not.

A logout button is missing.

If I set baseurl = https://example.com/ I have redirection 303 to //zones.
If I set baseurl = https://example.com it works normal.

If this is a feature it need to add warning comment in config file sample.

The "create zone" form, and PowerDNS itself will allow the creation of a zone with an empty name.

It would be nice if there was an opportunity to delegate DNSSEC (DS) for reverse zones. This is relevant for IPv6 zones because zone size is very big and has many dots.

When I trying to save zone configuration with invalid data in input fields, I see "Oops". It would be nice to explain errors in the fields for the user.
Affected errors: no tailing dot in "Primary nameserver" and "Contact" fields.

It may be better to automatically set the dots in these fields.

It is necessary for same control while editing the SOA-template.

CNAMEs are a singleton type and it is not allowed to have one in addition to any other record for the same name.

PowerDNS does not prevent this, and currently neither does the DNS UI, but we should make it detect the conflict and prevent it.

Hello,

dns-ui is so far the best gui I could find for the powerdns api, thanks.
Nevertheless, I have found a few improvements and Bugs

bugs

• if you enter a ttl of 60, the gui will show "1M"

improvements

• make the set_ptr selectable in the zone config page or per domain in the config file. I habe no reverse zone, so the error "No suitable reverse zone could be found for" always appears.
• make the meta data of a zone editable in the zone config page.
  Currently I have to set the following options manually: SOA-EDIT, ALSO-NOTIFY, ALLOW-AXFR-FROM. NSEC3PARAM (for DNSSEC) is currently not settable through the powerdns Api.
  https://doc.powerdns.com/md/httpapi/api_spec/#zone-metadata
  a simple key value field to edit would be enough
• I am aware that the gui has been developed for a larger organization, so the deletion is done according to the four eyes principle.
  I use the Gui alone, so it would be nice if you can activate and deactivate the four eyes principle in the config file, then I could also delete a domain without logout and login with another user.
  The re-login is made more difficult by the HTTP Basic Auth, because the user is cached in the browser.
• a template for records (A, AAAA, MX, TXT for SPF) when creating a new domain would be very helpful.

Not sure if I am missing the option, but it appears there is no ability in the interface to delete a zone?

If it is missing it would be great to add it, possibly with some specific permissions (eg. group to add a zone, group to delete a zone etc)

While we had plans to use LDAP initially, we are also looking at an alternative way to pass user data (name, email and groups) into the PHP application.
As we already use Google Oauth to authenticate users, we considered using Google Directory as an alternative to LDAP.

While trying to keep this new feature generic and not dependent on Google Oauth or Google Directory, I imagined that the webserver would be responsible to get all user data and pass it via PHP variables, just like the PHP_AUTH_USER variable is passed already. This should be compatible with any Single-Sign-On system that can get the required user data into variables.

I have a working prototype code that is not very polished yet: BrandwatchLtd@26e9e4f
In case this is an interesting feature, I can open a PR. What do you think?

It's completely non-functional for them, but "IPv4 prefix [ ] Create zone from prefix" is shown on the reverse zone pages to non-admins.

If you attempt to change eg. an A record into a CNAME record, PowerDNS (as of version 4.1) complains that RRset foo.example.com. IN CNAME: Conflicts with pre-existing non-CNAME RRset

This is caused by the new API checks introduced by https://github.com/PowerDNS/pdns/pull/5389/files

I would argue that this is a bug in PowerDNS, since the check should not consider the record that is being updated.

Workaround: delete the existing record and create the new CNAME record. This can be done in a single transaction.

It seems dns-ui routes.php has the following:
'/users' => 'users',

But that doesn't work.. going to /users URL results in the following in error.log:

[Fri Nov 17 20:32:18.418460 2017] [:error] [pid 138] [client 192.168.1.101:39636] 1510943538: Exception: View file /opt/dns-ui/views/users.php missing. in /opt/dns-ui/requesthandler.php:66
[Fri Nov 17 20:32:18.418500 2017] [:error] [pid 138] [client 192.168.1.101:39636] 1510943538: Stack trace:
[Fri Nov 17 20:32:18.418504 2017] [:error] [pid 138] [client 192.168.1.101:39636] 1510943538: #0 /opt/dns-ui/public_html/init.php(18): require()
[Fri Nov 17 20:32:18.418508 2017] [:error] [pid 138] [client 192.168.1.101:39636] 1510943538: #1 {main}

Hi,

I'm guessing "patches welcome" is the general idea, but thought it would be good to discuss it first, before I start coding.

We're looking to start using this frontend, but we already "protect" some of our services with a dummy (i.e. static/simple) BasicAuth "wall" (to avoid being scraped/tested for vulnerabilities/brute-force/similar).

(yes, I know it's somewhat "security by obscurity", but that's just one of the layers, and mitigates the majority of attempts to find flaws).

However, this solution does not combine well with this project that relies on the web server doing the LDAP part (via BasicAuth).

I'm therefore looking to implement the LDAP-authentication/authorization as part of the front-end (web form, bla bla). Shouldn't be that much work, and the rest of the logic would remain more or less the same.

Some questions;

1. Any particular reason why it was done this way in the first place? Simplicity? (i.e. keep the LDAP-logic outside the project?).
2. I guess we want it to be configurable what to use? (i.e. a switch where you can select which method to use).
3. Anything else that should be thought of? I'm already having #29 in mind when doing this, so that it should be easier to expand the code to handle that as well.

This may be by design and I'm just misunderstanding, but when adding records to a zone classified private, I still get this warning:

"Warning: x.x.x.x is a local IP address. Adding it to a public zone does not make it accessible externally. Only proceed if you know what you are doing."

I'd think I'd only get that warning if my zone was classified public?

DNS UI should not instruct PowerDNS to create a reverse record if a CNAME record already exists at the same location (or better, it should create the reverse record in the delegated zone instead, but this is not an option with the auto-create feature in PowerDNS).

As a side note, PowerDNS really shouldn't allow this. I would consider it a bug that their recent addition of singleton record type enforcement does not catch this case.

I've configured the default replication type to be "Native" in the dns-ui settings.
Then I create/add a new zone from the web interface, and make sure "Native" is chosen as the replication type. I also used browser developer tools and made sure the POST request shows kind as "Native". So all should be fine..

But after the zone is added the Replication type is "Master", not "Native".

It seems there's a bug..

When splitting a zone (xxx.yyy.com out of yyy.com) and inside this zone we have an NS record (eg. zzz.xxx.yyy.com), this record is not transferred to the new zone. As it stays in the superior zone as zzz.xxx NS yyy.com it is a "dead" entry that cannot be reached.

Hy Guys,

create Work!

Is there a Way to create Slave Zones?

Kind Regards

Bernd

Require the user to provide the subnet, then generate the sub-zone with automatic generation of CNAME records for the delegated IP range and move the PTR records to the sub-zone.

I have imported my zones from sql and I had seen that my zone's serial not incrementing when I editing zone.

After invistigation I understood that my imported zones not contains SOA-EDIT-API/INCEPTION-INCREMENT in domain metadata table. In the old setup, zones was updated in the database directly by PowerAdmin.

It would be nice to automaticly check the consistency of the zones, including serial icrementation.

It would be nice to implement some per zone domain metadata features. Very important for me options:

• ALLOW-AXFR-FROM for AXFR ACL's
• ALSO-NOTIFY for NOTIFY additional list

Would be nice if we could manage more than one PowerDns server...

Hello.

It's not so much about DNS-UI, but about PDNS (v4.1).

I have secured zone from UI, next extracted DS from pdnsutil show-zone and handed to the registrar.

But I got these effect: https://community.cloudflare.com/t/1-1-1-1-cant-resolve-m-geektimes-com/17264. Because it need to exec pdnsutil rectify-zone after securing zone. If this is not done, all NSEC records will be:

...
example.com <ttl> IN NSEC example.com ...
...

After the rectify-zone it's becomes normal (recursive all zone records):

...
example.com <ttl> IN NSEC <next>.example.com ...
...

Perhaps it would be correct to perform API-method for zone rectifing after any manipulation with it. I dont know about automatic rectifing zone after any changes. This can be solved with the API-RECTIFY in domainmetadata but this is not enabled by default for any created zone.

It seems currently dns-ui supports granting full system admin access if user belongs to configured ldap group ("admin_group_cn").

Are there any plans to extend similar ldap groups feature for per-zone permissions? It'd be nice to be able to give members of specified ldap group(s) access to the given zone, at specified permission level.

for zone1, add multiple entries like:

• members of ldap group "zone1_admins" get admin level access to zone1.
• members of ldap group "zone1_operators" get operator level access to zone1.
• members of ldap group "foo_admins" get admin level access to zone1.

for zone2, add multiple entries like:

• members of ldap group "zone2_admins" get admin level access to zone2.
• members of ldap group "zone2_operators" get operator level access to zone2.
• members of ldap group "bar_admins" get admin level access to zone2.

and so on.. Thoughts?

We have found that the SOA serial number on PowerDNS database does not match the SOA serial number on the DNS replies on the PowerDNS master.

For example we see Serial number 2018030901 on dns-ui zone configuration, which matches the value on the MySQL backend database of the PowerDNS master. And PowerDNS master reply to the DNS request of the SOA record contains a serial like 1520616586, which keeps changing all the time because we had default-soa-edit=EPOCH on the PowerDNS master configuration.

I recognize that default-soa-edit=EPOCH is deprecated and it is our problem, but I wonder if dns-ui should perhaps explicitly define the SOA_EDIT of the zone just like it defines SOA_EDIT_API on zone create and restore operations.

I have tested the code change to define SOA_EDIT to the same value as SOA_EDIT_API, and it showed almost the expected behavior. The only odd thing now is that, on SOA records in DNS replies, PowerDNS will add 2 units to the serial on the database (which is seen via the API in dns-ui). And the extra odd thing is that after about 200 updates it stops adding these 2 units, but this is PowerDNS problem/feature for sure.

Any method of making changes in a zone should allow the user to provide a change comment. Currently this is not possible with an import action.

In addition, this triggers a bug in the system when an import is submitted as a change request. The lack of a comment (even an empty one) in the change JSON means that the change fails to display and breaks viewing the zone.

It's a common case when you manage only part of C-class to have this kind of records in forward zone.

And as I've just verified there's no support for CNAME RR's in reverse zones - same use case scenario.

Hello,

Does DNS-UI support DNSSEC? I couldn't find anything about it, but I saw a column DNSSEC in the demo server. So what is it? Where is the documentation?

Thanks!

It would be helpful to add some "helpers" for the various record types, for example PowerDNS-Admin project works in the below behaviour

1. Add new record, select record type (MX/CAA etc)
2. Select the content field for the record
3. A modal appears prompting for the various components (eg. Priority, Destination for MX)
4. Helper then compiles this into the string (eg. "0 mx1.example.com")

Whilst not super helpful with MX records, this would be more helpful for new comers for records like CAA who are not familair with the string required

Hello,

Thanks for the nice pdns GUI :-)
I'm going to build pdns and your gui with docker, i almost succeeded. However, I fail at the user authentication in dns-ui. I do not need LDAP authentication for my small project so I would like to use a local user authentication. In the demo I saw that I can create local users (Users -> Create User ->"You can create users in the local directory here".)
Currently I am getting the PHP error "Not logged in.", because the varialbe PHP_AUTH_USER is not set.
In the GUI I am getting the error "Oops! Something went wrong!"

What settings (Apache, PHP, dns-ui, dns-ui-db) must be made in a new installation to use local authentication?

I have everything installed, Apache is talking to LDAP, when I look into the Postgres database I see that there are domains listed in zone table. However I can't figure out how to add users so we can manage the domains. As far as I know everything is correct in regards to the LDAP User/Group config.ini, and i have manually run the 'ldap_update.php' but still nothing?

Suggestions?

dnsui=> select * from user;
current_user

dnsui-user
(1 row)

dnsui=> select * from zone;
id | pdns_id | name | serial | active | account | kind | dnssec
----+-------------+-------------+------------+--------+---------+--------+--------
1 | lnx.ninja. | lnx.ninja. | 2018040202 | t | | Native | 0
2 | domain.com. | domain.com. | 2018041100 | t | | Master | 0
(2 rows)

I would like to contribute a working example of an NGINX+PHP-FPM configuration for dns-ui.
This was done on a fresh Debian 9 server and following approximately the installation instructions on the README.md file.

The following packages had to be installed:

apt-get install nginx php php-fpm php-json php-ldap php-pgsql php-mbstring php7.0-intl php-curl postgresql-client postgresql

And the following NGINX server block was defined:

server {
	listen 80;
	listen 443 ssl;
	server_name dns-ui.example.com;
	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

	root /home/dnsui/dns-ui/public_html;
	index init.php;
	
	auth_basic "Opera DNS UI";
	auth_basic_user_file /etc/nginx/passwd;

	location / {
		try_files $uri $uri/ @php;
	}

	location @php {
		rewrite ^/(.*)$ /init.php/$1 last;
	}

	location /init.php {
		# Mitigate https://httpoxy.org/ vulnerabilities
		fastcgi_param HTTP_PROXY "";
		fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
		include /etc/nginx/snippets/fastcgi-php.conf;
	}
}

NSEC has a zone records disclosure fundamental vulnerability. It would be nice to add methods for NSEC3 zone enforcements and edit NSEC3 params. For pdns 4.1 it is a stock ability.

We are currently testing this frontend and loaded our current production data, which consists of quite a number of zones (>6500). We noticed they are all displayed on the same page, which can make both the loading of the page, but especially the browser itself, a bit sluggish.

It would be really nice if pagination could be added to the zone lists, still allowing for filtering (searching) columns.

Currently new zones are created with type=MASTER. When using a backend with native replication type should be NATIVE, so that no updates need to be sent out.

Is it possible to make the zone type configurable (at least at time of creation) or to set a default type for new zones?

Hi, it would be great if you could change DNS UI to treat and display double quotes in TXT records as content rather than a hidden string qualifiers, or at least add support for managing a single TXT record with multiple strings as described in RFC4408

An example of such TXT record is current public 2048 bit DKIM key of gmail.com:

# dig 20161025._domainkey.gmail.com TXT +short
"k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR" "tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"

Please add more DNS record types.

For example i need SSHFP record types.

Here is an example type list from google cloud dns:

If zone has CNAME record that is disabled, and also any other record type, the CNAME Singleton check will do not allow you to modify zone. It might be that it exists only if such double record was created before upgrading to new UI, not tried yet if it's possible to create disabled CNAME with other record OR upload zone with disabled CNAME and proper A record - I believe second use case might be more realistic.

Trying to import a bog standard BIND zone file, the import fails after selecting records with:

The zone update failed. The following error message was given: Key 'name' not present or not a String

Google suggests this is because the API changed regarding how you need to specify the name property in your API call.

pdns 4.0.4, dns-ui master. Issue was the same with pdns master.