LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-02-2009, 08:45 AM   #1
lomax0990
LQ Newbie
 
Registered: Jul 2009
Posts: 15

Rep: Reputation: 0
Question BIND 9 Zone Transfer Issues


I'm having a problem with Zone transfers from a master nameserver to a secondary nameserver. Any help would be greatly appreciated.

When I restarted BIND I see the following in /var/log/messages:
Code:
Dec  2 08:35:31 dns1 named[21222]: zone mydomain.com/IN: sending notifies (serial 2009053102)
Dec  2 08:35:31 dns1 named[21222]: zone mydomain2.com/IN: sending notifies (serial 2009120101)
I have these log entries for every one of my zones. But apparently the secondary server is not getting the notifications because the zones do not get transfered. I have also tried to do a tcpdump on the traffic and I can't see where it's even trying to send anything. I have windows clients pointing to these machines for DNS and that successfully works. Also the primary is also working to provide DNS to the internet. I just can't get the zone transfers to work.

It's not a serial number issue because there are no zone files on the secondary server. I got them to transfer once somehow but I can't get it to work again. I have posted the relevant files below.

Also I can telnet on TCP 53 on to and from both servers. So I don't believe it's a firewall issue.

Master named.conf
Code:
options {
        listen-on port 53 { 127.0.0.1; XX.XX.169.198; 192.168.1.1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source address 192.168.1.1;
        allow-query     { localhost; };
        allow-recursion { localnets; };
        allow-notify    { 192.168.1.4; };
        allow-transfer  { 192.168.1.4; };
        notify yes;
        recursion yes;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity info;
        };
};

zone "." IN {
                type hint;
                file "named.ca";
};


zone "mydomainname.com"
        {
                type master;
                file "external/mydomainname.com.zone";
                allow-query { any; };
        };
Secondary Named.conf
Code:
options {
        listen-on port 53 { 127.0.0.1; XX.XX.169.197; 192.168.1.4;};
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-recursion { localnets; };
        allow-query     { localhost; };
        allow-notify { 192.168.1.1; XX.XX.169.198; };
        transfer-source 192.168.1.1;
        recursion yes;
        notify yes;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity info;
        };
};


zone "." IN {
        type hint;
        file "named.ca";
        };


zone "mydomain.com"
        {
                type slave;
                file "slaves/mydomain.com.zone";
                masters { 192.168.1.1; };
                allow-query { any; };
        };

Last edited by lomax0990; 12-02-2009 at 08:46 AM.
 
Old 12-02-2009, 09:16 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Hi,

Remove "allow-notify" from master, it's only used on slaves.
Can you force a zone transfer? Run
Code:
rndc retransfer mydomain.com
rndc retransfer mydomain2.com
from slave and watch logs on both servers.

Last edited by bathory; 12-02-2009 at 09:22 AM.
 
Old 12-02-2009, 09:38 AM   #3
lomax0990
LQ Newbie
 
Registered: Jul 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Here is what I received on the Slave server: (I got nothing on the master)
Code:
Dec  2 09:31:35 dns2 named[12995]: received control channel command 'retransfer billswoodworks.com'
However, I did a dump on the traffic and found this:
Code:
09:34:53.112922 IP 192.168.1.1.53 > 192.168.1.4.14799: 29360 ServFail 0/0/0 (30)
09:34:53.113003 IP 192.168.1.4 > 192.168.1.1: ICMP 192.168.1.4 udp port 14799 unreachable, length 66
09:34:56.120787 IP 192.168.1.1.53 > 192.168.1.4.14799: 52571 ServFail 0/0/0 (26)
09:34:56.120871 IP 192.168.1.4 > 192.168.1.1: ICMP 192.168.1.4 udp port 14799 unreachable, length 62
09:34:59.126096 IP 192.168.1.1.53 > 192.168.1.4.14799: 60786 ServFail 0/0/0 (25)
09:34:59.126176 IP 192.168.1.4 > 192.168.1.1: ICMP 192.168.1.4 udp port 14799 unreachable, length 61
So it appears to be a firewall (iptables) issue. Wouldn't you agree? The only thing that puzzles me is that I did get this to work one time. And haven't done anything with Iptables since. So i'm a little confused.
 
Old 12-02-2009, 10:03 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Yes, it looks like a firewall problem. Maybe you should use "query-source port 53" in slave's config.
You can use another port number, but make sure it's open in your firewall
 
Old 12-02-2009, 10:14 AM   #5
lomax0990
LQ Newbie
 
Registered: Jul 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Well I tried to use the query-source option you mentioned...here is my updated config:
Code:
options {
        listen-on port 53 { 127.0.0.1; XX.XX.169.197; 192.168.1.4;};
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-recursion { localnets; };
        allow-query     { localhost; };
        allow-notify { 192.168.1.1; XX.XX.169.198; };
        query-source port 53;
        transfer-source 192.168.1.1;
But I still get nothing. I get the following message on the slave and thats it:
Code:
Dec  2 10:11:56 dns2 named[26653]: received control channel command 'retransfer mydomain.com

The more traffic i'm watching I don't think that my previous post earlier about the UDP traffic is correct. Because those messages appear to be intermitent. Not just when I use the reload command. So it's something else trying to use those UDP ports. In any case with the updated config (query-source) it should be using TCP 53 and I can telnet on port 53 to both of these machines. So i know the interface is listening and that it's accepting connections.
 
Old 12-02-2009, 11:53 AM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Quote:
transfer-source 192.168.1.1;
This must be the local IP and must be the same as the one in "allow-transfer ..." in master.
So you have to use:
Code:
transfer-source 192.168.1.4;
and restart bind

Last edited by bathory; 12-02-2009 at 02:51 PM.
 
Old 12-02-2009, 02:38 PM   #7
lomax0990
LQ Newbie
 
Registered: Jul 2009
Posts: 15

Original Poster
Rep: Reputation: 0
bathory,

your a genius. That worked perfectly. I'm still confused though. The option doesn't make much sense. the word "source" in transfer-source suggest where the transfers will be coming from? I will research it more later though.

One more question I'm hoping you can answer: when I update a zone and increment the serial number the zone should replicate automatically right? When the TTL expires on the zone?
 
Old 12-02-2009, 03:02 PM   #8
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Quote:
transfer-source
transfer-source (ip4_addr | *) [port ip_port] ; ]

Only valid for 'type slave' zones. transfer-source determines which local IPv4 address will be bound to TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a BIND controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement may be specified in normal zone or view clauses or in a global options clause.
IMO options like this are redundant and I guess they're used in very special situations.

Quote:
One more question I'm hoping you can answer: when I update a zone and increment the serial number the zone should replicate automatically right? When the TTL expires on the zone?
Yes, when you update a zone in master and reload the zone, then master notifies slave(s) to start a zone transfer.
Slave does not use TTL, but the refresh value to check master for zone changes.

Regards
 
Old 12-03-2009, 08:40 AM   #9
lomax0990
LQ Newbie
 
Registered: Jul 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Yeah sorry the Refresh is what I meant to say. Got mixed up. Thanks again for all your help! It's working beautifully now!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind9 Zone Transfer Issues lomax0990 Linux - Server 6 10-23-2009 02:46 AM
DNS BIND Zone transfer fails from Master to Slave ALInux Linux - Networking 0 08-28-2007 06:19 AM
BIND Slave server never gets zone transfer from master. HELP!! quackking Linux - Networking 2 08-30-2006 01:54 PM
Bind Zone Transfer dafunk Linux - Networking 7 03-22-2006 08:21 PM
Bind 9 - zone transfer using internal IP ? michael_util Slackware 1 03-25-2004 12:15 PM


All times are GMT -5. The time now is 02:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration