Odd config problem
Hans Vallden
hans at vallden.com
Tue May 19 07:47:26 UTC 2009
On 18.5.2009, at 17:17, Mark Andrews wrote:
>> I use the secure BIND template by Rob Thomas (http://www.cymru.com/Documents/
>> secure-bind-template.html
>> ). I have had a peculiar problem with this template conf, which I
>> have
>> not been able to resolve. My problem is that some slave zones return
>> REFUSED when queried from the external view for ANY records while
>> others return the expected values. For example:
>>
>> dig @194.86.83.21 ruoka.fi ANY
>>
>> returns nothing, but when queried from master zone:
>>
>> dig @194.86.83.27 ruoka.fi ANY
>>
>> returns expected values. Furthermore, a seemingly identical zone
>> (see
>> complete zone configs below) for another domain returns expected
>> values from both servers:
>
> What do you have infront of the nameserver? Firewall? NAT?
> Note the reply is to the wrong port.
>
> 00:15:38.593884 211.30.172.21.57914 > 194.86.83.21.53: 60775 ANY?
> ruoka.fi. (26)
> 00:15:38.935222 194.86.83.21.53 > 211.30.172.21.48599: 60775*-
> 5/0/0 SOA, NS ns2.kirnauskis.com., NS ns.kirnauskis.com., MX
> smtp.kirnauskis.com. 0, TXT v=spf1 ~all (167)
There's a firewall infront of both nameservers. I don't think the
reply port should be the issue, because all traffic is allowed from
the server to WAN. Furthermore, if it were a firewall issue, why would
it work for one domain and not the other? And why would changing the
'additional-from-auth' and 'additional-from-cache' settings make a
difference?
I did try allowing all traffic in and out from the server just in
case, and it didn't help.
--
Hans Vallden
hans at vallden.com
skype: hans.vallden
More information about the bind-users
mailing list