bind port problems

Sun Jan 27 14:42:19 UTC 2008

Mark Andrews a écrit :
>> Hello,
>>
>> I'm trying to set up a secondary name serveur, on a server managed with 
>> plesk and behind a firewall with port 53 TCP and UDP open but I cannot 
>> manage to get a successfull zone transfer.
>>
>> This is what I het in my syslog :
>>
>> Jan 27 07:35:07 Serv1 named[4000]: client 92.193.254.8#59962: zone 
>> transfer 'domain.fr/IN' denied
>>
>>  From what I understand from this message is that it failed to do a zone 
>> tranfer on 92.193.254.8 on port 59962 so normal it is denied as firwall 
>> blocks this port.
>>     
>
> 	No.  The acl on the master blocked the transfer.
>
>   
>> However in my /etc/named.conf I've got :
>>
>> query-source address * port 53;
>>
>> I've done a /etc/init.d/bind9 reload
>>
>> And have waited for over 24 hours. And it still looks up on the wrond 
>> port. Any ideas where this error could come from?
>>     
>
> 	The port designator only applies to the source port for
> 	UDP queries.  AXFR uses TCP.  Also the correct control
> 	is transfer-source not query-source.
>  
>   
>> I've alse added 92.193.254.8 to my ACL list in Plesk so this server 
>> should not be blocked.
>>     
>
> 	Which server?  The master or the slave?  Did you reload?
>  
>   
>> Is the wrong port a problem on my side or is it a setting on the 
>> secondary name server?
>>
>> Thanks in advance for any advice, and if you need to see more of my 
>> settings please let me know.
>>     
Thankyou,
I'm working on the master server, I can only access I have to the slave 
server is to add a new domain.
Yes I did reload. Can you see anything that looks like it could make the 
ACL block the slave server? Plesk automaticaly added :
acl common-allow-transfer {
        92.193.254.8;
};
So I guess it should allow the ns2.supplier ...
And as I said above I've opened port 53 in TCP and UDP, and for testing 
purposes, I've opened all ports from 30000 to 60000 for the secondry 
server ... but it doesn't seem to change anything as you say it's the 
ACL blocking it.

Here are the contents of my named.conf

---------------------------------------
options {
        allow-recursion {
                localnets;
        };
        directory "/var";
        auth-nxdomain no;
        pid-file "/var/run/named/named.pid";

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
//      forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
        forwarders {
                127.0.0.1;
        };
*/
        query-source address * port 53;

        // dump-file "s/named_dump.db";
};

//Use with the following in named.conf, adjusting the allow list as needed:

key "rndc-key" {
        algorithm hmac-md5;
        secret "DELETEDFORSECURITY";
};

controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

// Note: the following will be supported in a future release.
/*
host { any; } {
        topology {
                127.0.0.0/8;
        };
};
*/

// Setting up secondaries is way easier and the rough picture for this
// is explained below.
//
// If you enable a local name server, don't forget to enter 127.0.0.1
// into your /etc/resolv.conf so this server will be queried first.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost.rev";
};
zone "domain.com" {
        type slave;
        file "s/domain.com.bak";
        masters {
                192.168.1.1;
        };
};

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "s/0.168.192.in-addr.arpa.bak";
        masters {
                192.168.1.1;
        };
};
*/

zone "mydomain.fr" {
        type master;
        file "domain.fr";
        allow-transfer {
                92.193.51.124;
                92.193.254.8;
                common-allow-transfer;
        };
};
zone "34.191.88.in-addr.arpa" {
        type master;
        file "34.191.88.in-addr.arpa";
        allow-transfer {
                common-allow-transfer;
        };
};
acl common-allow-transfer {
        92.193.254.8;
};
----------------------

Here is the file mydomain.fr :
-----------------
; *** This file is automatically generated by Plesk ***
$TTL    86400

@       IN      SOA     ns1.mydomain.net. admin.mydomain.net. (
                        1201364974      ; Serial
                        10800   ; Refresh
                        3600    ; Retry
                        604800  ; Expire
                        10800 ) ; Minimum

mydomain.fr.           IN NS   ns1.mydomain.net.
mydomain.fr.           IN NS   ns2.supplier.fr.
mydomain.fr.           IN A    92.193.51.124
webmail.mydomain.fr.           IN A    92.193.51.124
mail.mydomain.fr.              IN A    92.193.51.124
ftp.mydomain.fr.               IN CNAME        mydomain.fr.
www.mydomain.fr.               IN CNAME        mydomain.fr.
mydomain.fr.           IN MX  10 mail.mydomain.fr.
---------------

Thanks in advance,

Richard