Newbie - Zone Transfer Denied
Dixon, Justin
Justin.Dixon at BBandT.com
Mon Aug 28 12:50:36 UTC 2006
Ignore this...Haven't had enough coffee yet this morning...I got the
numbers mixed up.
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Dixon, Justin
Sent: Monday, August 28, 2006 08:33
To: bind-users at isc.org
Subject: RE: Newbie - Zone Transfer Denied
It appears that you have your slave server setup as the master of the
zone in named.conf on the slave server...
See Below:
>include "/etc/named.conf.include";
> zone "tuxland.com" in {
> type slave;
> file "slave/datadnsslave.tuxland.com";
> allow-query { any; };
> allow-transfer { 100.100.100.2; };
> masters { 100.100.100.2; }; <-----This appears to be the IP of
your slave server,
not the master
> };
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Mark Andrews
Sent: Sunday, August 27, 2006 20:01
To: creature gijon
Cc: bind-users at isc.org
Subject: Re: Newbie - Zone Transfer Denied
> Hi there,
> I'm new with BIND and got this message when trying to receive zones in
a
> slave from the master:
>
> Aug 27 15:51:37 mortadelo named[10644]: zone tuxland.com/IN: Transfer
> started.
> Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
from
> 100.100.100.2#53: connected using 100.100.100.1#37276
> Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
from
> 100.100.100.2#53: failed while receiving responses: REFUSED
> Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
from
> 100.100.100.2#53: end of transfer
>
> In the machine with the master got the message:
>
> Aug 27 16:53:52 filemon named[7231]: running
> Aug 27 16:54:41 filemon named[7231]: client
::ffff:100.100.100.1#37276: zone
> transfer 'tuxland.com/IN' denied
>>
>> Now if the platform has a non-broken IPv6 stack we wouldn't see
>> this.
>>
>> To workaround the broken IPv6 stack set
>>
>> match-mapped-addresses yes;
>>
> There is no firewall active.
> Any idea about what i'm doing wrong?
> Thanks in advance for your help.
> Below you can find the named.conf from the master, from the slave, and
"
> tuxland.com" zone file data:
>
> By the way, i'm using Suse10.
>
> **********************************
> Machine: mortadelo
> Acting as DNS server master
> named.conf data
> *********************************
> # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
> # All rights reserved.
> #
> # Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
> #
> # /etc/named.conf
> #
> # This is a sample configuration file for the name server BIND 9. It
works
> as
> # a caching only name server without modification.
> #
> # A sample configuration for setting up your own domain can be found
in
> # /usr/share/doc/packages/bind/sample-config.
> #
> # A description of all available options can be found in
> # /usr/share/doc/packages/bind/misc/options.
>
> options {
>
> # The directory statement defines the name server's working
> directory
>
> directory "/var/lib/named";
>
> # Write dump and statistics file to the log subdirectory. The
> # pathenames are relative to the chroot jail.
>
> dump-file "/var/log/named_dump.db";
> statistics-file "/var/log/named.stats";
>
> # The forwarders record contains a list of servers to which
queries
> # should be forwarded. Enable this line and modify the IP
address
> to
> # your provider's name server. Up to three servers may be
listed.
>
> #forwarders { 192.0.2.1; 192.0.2.2; };
>
> # Enable the next entry to prefer usage of the name server
declared
> in
> # the forwarders section.
>
> #forward first;
>
> # The listen-on record contains a list of local network
interfaces
> to
> # listen on. Optionally the port can be specified. Default
is to
> # listen on all interfaces found on your system. The default
port
> is
> # 53.
>
> #listen-on port 53 { 127.0.0.1; };
>
> # The listen-on-v6 record enables or disables listening on
IPv6
> # interfaces. Allowed values are 'any' and 'none' or a list
of
> # addresses.
>
> listen-on-v6 { any; };
>
> # The next three statements may be needed if a firewall stands
> between
> # the local server and the internet.
>
> #query-source address * port 53;
> #transfer-source * port 53;
> #notify-source * port 53;
>
> # The allow-query record contains a list of networks or IP
addresses
> # to accept and deny queries from. The default is to allow
queries
> # from all hosts.
>
> #allow-query { 127.0.0.1; };
>
> # If notify is set to yes (default), notify messages are sent
to
> other
> # name servers when the the zone data is changed. Instead of
> setting
> # a global 'notify' statement in the 'options' section, a
separate
> # 'notify' can be added to each zone definition.
>
> notify no;
> forwarders { 82.82.82.82; 83.83.83.83; };
> };
>
> # To configure named's logging remove the leading '#' characters of
the
> # following examples.
> #logging {
> # # Log queries to a file limited to a size of 100 MB.
> # channel query_logging {
> # file "/var/log/named_querylog"
> # versions 3 size 100M;
> # print-time yes; // timestamp log
entries
> # };
> # category queries {
> # query_logging;
> # };
> #
> # # Or log this kind alternatively to syslog.
> # channel syslog_queries {
> # syslog user;
> # severity info;
> # };
> # category queries { syslog_queries; };
> #
> # # Log general name server errors to syslog.
> # channel syslog_errors {
> # syslog user;
> # severity error;
> # };
> # category default { syslog_errors; };
> #
> # # Don't log lame server messages.
> # category lame-servers { null; };
> #};
>
> # The following zone definitions don't need any modification. The
first one
> # is the definition of the root name servers. The second one defines
> # localhost while the third defines the reverse lookup for localhost.
>
> zone "." in {
> type hint;
> file "root.hint";
> };
>
> zone "localhost" in {
> type master;
> file "localhost.zone";
> };
>
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "127.0.0.zone";
> };
>
> # Include the meta include file generated by createNamedConfInclude.
This
> # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
> # /etc/sysconfig/named
>
> include "/etc/named.conf.include";
> zone "tuxland.com" in {
> file "master/tuxland.com";
> type master;
> allow-query { any; };
> allow-transfer { 100.100.100.1; };
> };
>
> # You can insert further zone records for your own domains below or
create
> # single files in /etc/named.d/ and add the file names to
> # NAMED_CONF_INCLUDE_FILES.
> # See /usr/share/doc/packages/bind/README.SuSE for more details.
>
>
>
>
> **********************************
> Machine: mortadelo
> Acting as DNS server master
> tuxland.com file data
> *********************************
>
> $TTL 2d
> @ IN SOA tuxland.com. root.tuxland.com. (
> 2006082502 ; serial
> 3h ; refresh
> 1h ; retry
> 1w ; expiry
> 1d ) ; minimum
>
> @ IN NS dnsmaster.tuxland.com.
> @ IN NS dnsslave.tuxland.com.
>
> @ IN A 100.100.100.2
> dnsmaster IN A 100.100.100.2
> dnsslave IN A 100.100.100.1
>
> **********************************
> Machine: filemon
> Acting as DNS server slave
> named.conf file
> *********************************
> # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
> # All rights reserved.
> #
> # Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
> #
> # /etc/named.conf
> #
> # This is a sample configuration file for the name server BIND 9. It
works
> as
> # a caching only name server without modification.
> #
> # A sample configuration for setting up your own domain can be found
in
> # /usr/share/doc/packages/bind/sample-config.
> #
> # A description of all available options can be found in
> # /usr/share/doc/packages/bind/misc/options.
>
> options {
>
> # The directory statement defines the name server's working
> directory
>
> directory "/var/lib/named";
>
> # Write dump and statistics file to the log subdirectory. The
> # pathenames are relative to the chroot jail.
>
> dump-file "/var/log/named_dump.db";
> statistics-file "/var/log/named.stats";
>
> # The forwarders record contains a list of servers to which
queries
> # should be forwarded. Enable this line and modify the IP
address
> to
> # your provider's name server. Up to three servers may be
listed.
>
> forwarders { 82.82.82.82; 83.83.83.83; };
>
> # Enable the next entry to prefer usage of the name server
declared
> in
> # the forwarders section.
>
> #forward first;
>
> # The listen-on record contains a list of local network
interfaces
> to
> # listen on. Optionally the port can be specified. Default
is to
> # listen on all interfaces found on your system. The default
port
> is
> # 53.
>
> #listen-on port 53 { 127.0.0.1; };
>
> # The listen-on-v6 record enables or disables listening on
IPv6
> # interfaces. Allowed values are 'any' and 'none' or a list
of
> # addresses.
>
> listen-on-v6 { any; };
>
> # The next three statements may be needed if a firewall stands
> between
> # the local server and the internet.
>
> #query-source address * port 53;
> #transfer-source * port 53;
> #notify-source * port 53;
>
> # The allow-query record contains a list of networks or IP
addresses
> # to accept and deny queries from. The default is to allow
queries
> # from all hosts.
>
> #allow-query { 127.0.0.1; };
>
> # If notify is set to yes (default), notify messages are sent
to
> other
> # name servers when the the zone data is changed. Instead of
> setting
> # a global 'notify' statement in the 'options' section, a
separate
> # 'notify' can be added to each zone definition.
>
> notify no;
> };
>
> # To configure named's logging remove the leading '#' characters of
the
> # following examples.
> #logging {
> # # Log queries to a file limited to a size of 100 MB.
> # channel query_logging {
> # file "/var/log/named_querylog"
> # versions 3 size 100M;
> # print-time yes; // timestamp log
entries
> # };
> # category queries {
> # query_logging;
> # };
> #
> # # Or log this kind alternatively to syslog.
> # channel syslog_queries {
> # syslog user;
> # severity info;
> # };
> # category queries { syslog_queries; };
> #
> # # Log general name server errors to syslog.
> # channel syslog_errors {
> # syslog user;
> # severity error;
> # };
> # category default { syslog_errors; };
> #
> # # Don't log lame server messages.
> # category lame-servers { null; };
> #};
>
> # The following zone definitions don't need any modification. The
first one
> # is the definition of the root name servers. The second one defines
> # localhost while the third defines the reverse lookup for localhost.
>
> zone "." in {
> type hint;
> file "root.hint";
> };
>
>
> zone "localhost" in {
> type master;
> file "localhost.zone";
> };
>
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "127.0.0.zone";
> };
>
> # Include the meta include file generated by createNamedConfInclude.
This
> # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
> # /etc/sysconfig/named
>
> include "/etc/named.conf.include";
> zone "tuxland.com" in {
> type slave;
> file "slave/datadnsslave.tuxland.com";
> allow-query { any; };
> allow-transfer { 100.100.100.2; };
> masters { 100.100.100.2; };
> };
>
> # You can insert further zone records for your own domains below or
create
> # single files in /etc/named.d/ and add the file names to
> # NAMED_CONF_INCLUDE_FILES.
> # See /usr/share/doc/packages/bind/README.SUSE for more details.
>
>
>
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list