BIND 9 errors

Mark Andrews marka at isc.org
Fri Jul 2 01:35:51 UTC 2010 

In message <SNT117-W75EA52BAE5D8946F5B8C0DBCD0 at phx.gbl>, Y z writes:
> 
> Thanks for your reply, comments inline:
> 
> > Peter Andreev wrote (on Thu, Jul 01, 2010 at 10:45:44AM +0400):
> > 2010/7/1 Y z 
> >
> >>
> >> (bind version 9.7.0-P1)
> >>
> >> A DNS slave server has two IPs: an internal RFC1918 number to talk to
> >> the internal net, and an external one to talk to the rest of the world.
> >>
> >> If I *don't* put the external IP in a master:
> >>
> >> zone "example.com" {
> >> type slave;
> >> file "example";
> >> masters port 1053 { 172.16.0.30; } ;
> 
> This is the internal IP of the (true) master.
> 
> >> };
> >
> >> I get errors:
> >>
> >> Jun 30 14:03:54 hostname named[1865]: zone example.com/IN: refused notify
> >> from non-master: external.ip#59808
> >>
> > This error appears because your master sends notify from external.ip, which
> > isn't listed in "masters {};" statement.
> 
> No. Sorry if I was confusing. external.ip belongs to the slave server;
> i.e., the slave server appears to want to talk to itself.

You have a hairpin NAT.  The notify is sent to the external address
of the slave.  The NAT then turns this around making the source
address of the notify message be the external address of the NAT.

You can any of the following:

* tell the master to send notify messages to a explict list of addresses
  and use the internal address of the slave.  This has long term maintenance
  issues.

	notify explict;
	also-notify { <internal address>; <other slave addresess>; };

  You may want to add the also-notify { <internal address>; }; regardless
  of whether you turn on notify explict.

* tell the slave to accept notify messages from its external address.

	allow-notify { acl; };
	
* add a forwarding entry for the NAT to send external/{TCP,UDP}/1053
  to master/1053 and use "masters port 1053 { <external; };".  i.e.
  go through the NAT.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list