Newbie - Zone Transfer Denied
creature gijon
creature.gijon at gmail.com
Mon Aug 28 13:19:13 UTC 2006
Thanks to all!
Now it works changing the allow statement to allow-transfer { ::ffff:
100.100.100.1; };, as Dawn Connelly wrote before.
You guys are great! thanks again!
Justin, i've changed the ips to preserve the original ones and this ones are
a bit confusing, sorry about that.
Regards.
2006/8/28, Dixon, Justin <Justin.Dixon at bbandt.com>:
>
> Ignore this...Haven't had enough coffee yet this morning...I got the
> numbers mixed up.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Dixon, Justin
> Sent: Monday, August 28, 2006 08:33
> To: bind-users at isc.org
> Subject: RE: Newbie - Zone Transfer Denied
>
> It appears that you have your slave server setup as the master of the
> zone in named.conf on the slave server...
>
> See Below:
>
> >include "/etc/named.conf.include";
> > zone "tuxland.com" in {
> > type slave;
> > file "slave/datadnsslave.tuxland.com";
> > allow-query { any; };
> > allow-transfer { 100.100.100.2; };
> > masters { 100.100.100.2; }; <-----This appears to be the IP of
> your slave server,
> not the master
> > };
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Mark Andrews
> Sent: Sunday, August 27, 2006 20:01
> To: creature gijon
> Cc: bind-users at isc.org
> Subject: Re: Newbie - Zone Transfer Denied
>
>
> > Hi there,
> > I'm new with BIND and got this message when trying to receive zones in
> a
> > slave from the master:
> >
> > Aug 27 15:51:37 mortadelo named[10644]: zone tuxland.com/IN: Transfer
> > started.
> > Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
> from
> > 100.100.100.2#53: connected using 100.100.100.1#37276
> > Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
> from
> > 100.100.100.2#53: failed while receiving responses: REFUSED
> > Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
> from
> > 100.100.100.2#53: end of transfer
> >
> > In the machine with the master got the message:
> >
> > Aug 27 16:53:52 filemon named[7231]: running
> > Aug 27 16:54:41 filemon named[7231]: client
> ::ffff:100.100.100.1#37276: zone
> > transfer 'tuxland.com/IN' denied
> >>
> >> Now if the platform has a non-broken IPv6 stack we wouldn't see
> >> this.
> >>
> >> To workaround the broken IPv6 stack set
> >>
> >> match-mapped-addresses yes;
> >>
> > There is no firewall active.
> > Any idea about what i'm doing wrong?
> > Thanks in advance for your help.
> > Below you can find the named.conf from the master, from the slave, and
> "
> > tuxland.com" zone file data:
> >
> > By the way, i'm using Suse10.
> >
> > **********************************
> > Machine: mortadelo
> > Acting as DNS server master
> > named.conf data
> > *********************************
> > # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
> > # All rights reserved.
> > #
> > # Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
> > #
> > # /etc/named.conf
> > #
> > # This is a sample configuration file for the name server BIND 9. It
> works
> > as
> > # a caching only name server without modification.
> > #
> > # A sample configuration for setting up your own domain can be found
> in
> > # /usr/share/doc/packages/bind/sample-config.
> > #
> > # A description of all available options can be found in
> > # /usr/share/doc/packages/bind/misc/options.
> >
> > options {
> >
> > # The directory statement defines the name server's working
> > directory
> >
> > directory "/var/lib/named";
> >
> > # Write dump and statistics file to the log subdirectory. The
> > # pathenames are relative to the chroot jail.
> >
> > dump-file "/var/log/named_dump.db";
> > statistics-file "/var/log/named.stats";
> >
> > # The forwarders record contains a list of servers to which
> queries
> > # should be forwarded. Enable this line and modify the IP
> address
> > to
> > # your provider's name server. Up to three servers may be
> listed.
> >
> > #forwarders { 192.0.2.1; 192.0.2.2; };
> >
> > # Enable the next entry to prefer usage of the name server
> declared
> > in
> > # the forwarders section.
> >
> > #forward first;
> >
> > # The listen-on record contains a list of local network
> interfaces
> > to
> > # listen on. Optionally the port can be specified. Default
> is to
> > # listen on all interfaces found on your system. The default
> port
> > is
> > # 53.
> >
> > #listen-on port 53 { 127.0.0.1; };
> >
> > # The listen-on-v6 record enables or disables listening on
> IPv6
> > # interfaces. Allowed values are 'any' and 'none' or a list
> of
> > # addresses.
> >
> > listen-on-v6 { any; };
> >
> > # The next three statements may be needed if a firewall stands
> > between
> > # the local server and the internet.
> >
> > #query-source address * port 53;
> > #transfer-source * port 53;
> > #notify-source * port 53;
> >
> > # The allow-query record contains a list of networks or IP
> addresses
> > # to accept and deny queries from. The default is to allow
> queries
> > # from all hosts.
> >
> > #allow-query { 127.0.0.1; };
> >
> > # If notify is set to yes (default), notify messages are sent
> to
> > other
> > # name servers when the the zone data is changed. Instead of
> > setting
> > # a global 'notify' statement in the 'options' section, a
> separate
> > # 'notify' can be added to each zone definition.
> >
> > notify no;
> > forwarders { 82.82.82.82; 83.83.83.83; };
> > };
> >
> > # To configure named's logging remove the leading '#' characters of
> the
> > # following examples.
> > #logging {
> > # # Log queries to a file limited to a size of 100 MB.
> > # channel query_logging {
> > # file "/var/log/named_querylog"
> > # versions 3 size 100M;
> > # print-time yes; // timestamp log
> entries
> > # };
> > # category queries {
> > # query_logging;
> > # };
> > #
> > # # Or log this kind alternatively to syslog.
> > # channel syslog_queries {
> > # syslog user;
> > # severity info;
> > # };
> > # category queries { syslog_queries; };
> > #
> > # # Log general name server errors to syslog.
> > # channel syslog_errors {
> > # syslog user;
> > # severity error;
> > # };
> > # category default { syslog_errors; };
> > #
> > # # Don't log lame server messages.
> > # category lame-servers { null; };
> > #};
> >
> > # The following zone definitions don't need any modification. The
> first one
> > # is the definition of the root name servers. The second one defines
> > # localhost while the third defines the reverse lookup for localhost.
> >
> > zone "." in {
> > type hint;
> > file "root.hint";
> > };
> >
> > zone "localhost" in {
> > type master;
> > file "localhost.zone";
> > };
> >
> > zone "0.0.127.in-addr.arpa" in {
> > type master;
> > file "127.0.0.zone";
> > };
> >
> > # Include the meta include file generated by createNamedConfInclude.
> This
> > # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
> > # /etc/sysconfig/named
> >
> > include "/etc/named.conf.include";
> > zone "tuxland.com" in {
> > file "master/tuxland.com";
> > type master;
> > allow-query { any; };
> > allow-transfer { 100.100.100.1; };
> > };
> >
> > # You can insert further zone records for your own domains below or
> create
> > # single files in /etc/named.d/ and add the file names to
> > # NAMED_CONF_INCLUDE_FILES.
> > # See /usr/share/doc/packages/bind/README.SuSE for more details.
> >
> >
> >
> >
> > **********************************
> > Machine: mortadelo
> > Acting as DNS server master
> > tuxland.com file data
> > *********************************
> >
> > $TTL 2d
> > @ IN SOA tuxland.com. root.tuxland.com. (
> > 2006082502 ; serial
> > 3h ; refresh
> > 1h ; retry
> > 1w ; expiry
> > 1d ) ; minimum
> >
> > @ IN NS dnsmaster.tuxland.com.
> > @ IN NS dnsslave.tuxland.com.
> >
> > @ IN A 100.100.100.2
> > dnsmaster IN A 100.100.100.2
> > dnsslave IN A 100.100.100.1
> >
> > **********************************
> > Machine: filemon
> > Acting as DNS server slave
> > named.conf file
> > *********************************
> > # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
> > # All rights reserved.
> > #
> > # Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
> > #
> > # /etc/named.conf
> > #
> > # This is a sample configuration file for the name server BIND 9. It
> works
> > as
> > # a caching only name server without modification.
> > #
> > # A sample configuration for setting up your own domain can be found
> in
> > # /usr/share/doc/packages/bind/sample-config.
> > #
> > # A description of all available options can be found in
> > # /usr/share/doc/packages/bind/misc/options.
> >
> > options {
> >
> > # The directory statement defines the name server's working
> > directory
> >
> > directory "/var/lib/named";
> >
> > # Write dump and statistics file to the log subdirectory. The
> > # pathenames are relative to the chroot jail.
> >
> > dump-file "/var/log/named_dump.db";
> > statistics-file "/var/log/named.stats";
> >
> > # The forwarders record contains a list of servers to which
> queries
> > # should be forwarded. Enable this line and modify the IP
> address
> > to
> > # your provider's name server. Up to three servers may be
> listed.
> >
> > forwarders { 82.82.82.82; 83.83.83.83; };
> >
> > # Enable the next entry to prefer usage of the name server
> declared
> > in
> > # the forwarders section.
> >
> > #forward first;
> >
> > # The listen-on record contains a list of local network
> interfaces
> > to
> > # listen on. Optionally the port can be specified. Default
> is to
> > # listen on all interfaces found on your system. The default
> port
> > is
> > # 53.
> >
> > #listen-on port 53 { 127.0.0.1; };
> >
> > # The listen-on-v6 record enables or disables listening on
> IPv6
> > # interfaces. Allowed values are 'any' and 'none' or a list
> of
> > # addresses.
> >
> > listen-on-v6 { any; };
> >
> > # The next three statements may be needed if a firewall stands
> > between
> > # the local server and the internet.
> >
> > #query-source address * port 53;
> > #transfer-source * port 53;
> > #notify-source * port 53;
> >
> > # The allow-query record contains a list of networks or IP
> addresses
> > # to accept and deny queries from. The default is to allow
> queries
> > # from all hosts.
> >
> > #allow-query { 127.0.0.1; };
> >
> > # If notify is set to yes (default), notify messages are sent
> to
> > other
> > # name servers when the the zone data is changed. Instead of
> > setting
> > # a global 'notify' statement in the 'options' section, a
> separate
> > # 'notify' can be added to each zone definition.
> >
> > notify no;
> > };
> >
> > # To configure named's logging remove the leading '#' characters of
> the
> > # following examples.
> > #logging {
> > # # Log queries to a file limited to a size of 100 MB.
> > # channel query_logging {
> > # file "/var/log/named_querylog"
> > # versions 3 size 100M;
> > # print-time yes; // timestamp log
> entries
> > # };
> > # category queries {
> > # query_logging;
> > # };
> > #
> > # # Or log this kind alternatively to syslog.
> > # channel syslog_queries {
> > # syslog user;
> > # severity info;
> > # };
> > # category queries { syslog_queries; };
> > #
> > # # Log general name server errors to syslog.
> > # channel syslog_errors {
> > # syslog user;
> > # severity error;
> > # };
> > # category default { syslog_errors; };
> > #
> > # # Don't log lame server messages.
> > # category lame-servers { null; };
> > #};
> >
> > # The following zone definitions don't need any modification. The
> first one
> > # is the definition of the root name servers. The second one defines
> > # localhost while the third defines the reverse lookup for localhost.
> >
> > zone "." in {
> > type hint;
> > file "root.hint";
> > };
> >
> >
> > zone "localhost" in {
> > type master;
> > file "localhost.zone";
> > };
> >
> > zone "0.0.127.in-addr.arpa" in {
> > type master;
> > file "127.0.0.zone";
> > };
> >
> > # Include the meta include file generated by createNamedConfInclude.
> This
> > # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
> > # /etc/sysconfig/named
> >
> > include "/etc/named.conf.include";
> > zone "tuxland.com" in {
> > type slave;
> > file "slave/datadnsslave.tuxland.com";
> > allow-query { any; };
> > allow-transfer { 100.100.100.2; };
> > masters { 100.100.100.2; };
> > };
> >
> > # You can insert further zone records for your own domains below or
> create
> > # single files in /etc/named.d/ and add the file names to
> > # NAMED_CONF_INCLUDE_FILES.
> > # See /usr/share/doc/packages/bind/README.SUSE for more details.
> >
> >
> >
> --
> ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
> covering topics from DNS to DHCP. Email training at isc.org.
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
>
>
>
>
>
>
>
More information about the bind-users
mailing list