port 280???
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Nov 18 20:29:05 UTC 2002
John <magiciq at noordbrabant.net> wrote:
> Hi,
> Our DNS's are HP Unix BIND 8.2.5
> We have a master and 2 slave DNS's.
> When I change the serial from the master DNS, the update is fetched from
> the master to the slave DNS's (no problem), but when both DNS's send a
> request to the master (because the SOA). I found the next errors
> continuously in the /var/adm/syslog/syslog.log
> Err/To getting serial "db.x.x.x
> Err/To getting serial "db.127.0.0
> etc..etc
> I get this error since I activate port 53. When I disable it, the errors
> are gone from the syslog.log
> query-source address x.x.x.x port 53;
> I have check all DNS's they use port 53. We have firewall between the
> master and slave DNS.
> Domain tcp and udp port are allowed include port 53, both direction.
bind will by default use a "random port" at the slave end when requesting
zonetransfer.
Firewalls should not rely on sourceport = 53, modern fw can deal with
"states" and thus able to discriminate responses to dns queries from
random udp packets.
So, remove your "port 53" line and talk to your fw admin.
And, while you are talking with him, make shure teh fw accept
both UDP and TCP 53. Both are needed for proper operation.
> So why I still get error?? How solve that??
> I heard from somebody that I have to open port "240" for zone transfer,
> is that true??
No.
> Any anwser is welcome.
> Best regards,
> John
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list