allow-transfer from slave server

Kevin Darcy kcd at daimlerchrysler.com
Tue Apr 25 00:12:18 UTC 2006 

Ronni Jensen wrote:

>Hi,
>
>I have a master (ns0) and 2 slave servers (ns1 & ns2).
>
>ns0 is not accessible from WAN, and only allows zone tranfers to ns1 and
>ns2 on RFC1918 addresses.
>ns1 and ns2 are accessible from outside, where a WAN public IP is NAT'ed
>to their local IP-address.
>
>On a server (123.123.123.123) at another location, I want to pull zones
>from either ns1 or ns2.. I have this config on ns1:
>
>zone "example.dk" IN {
>        type slave;
>        file "/var/named/slave/slave.example.dk";
>        masters { 10.10.10.2; };   // this is the master server (ns0)
>        allow-transfer { 123.123.123.123; }; // this is the outside
>server which want to pull the zone
>};
>
>..But when I initiate a zone transfer from 123.123.123.123 which has
>this config in named.conf:
>
>zone "example.dk" IN {
>        type slave;
>        file "/etc/bind/data/slave.example.dk";
>        masters { 111.111.111.111; }; // this is ns1's public IP-address
>};
>
>..I get this error in my activity log:
>
>24-Apr-2006 11:40:45.659 general: info: zone example.dk/IN: Transfer
>started.
>24-Apr-2006 11:40:45.695 xfer-in: info: transfer of 'example.dk/IN' from
>111.111.111.111#53: connected using 123.123.123.123#32778
>24-Apr-2006 11:40:45.761 xfer-in: error: transfer of 'example.dk/IN'
>from 111.111.111.111#53: failed while receiving responses: REFUSED
>24-Apr-2006 11:40:45.761 xfer-in: info: transfer of 'example.dk/IN' from
>111.111.111.111#53: end of transfer
>
>Can you tell me why I get that error? :-/
>
Looks in the logs on the master to verify that the source address it 
sees is 123.123.123.123. It _should_ be, of course, but when dealing 
with NAT, sometimes things get screwy and the source address of a packet 
is an unexpected one.

The only other thing that comes to mind is that some firewall or 
intrusion-prevention system in between your master and your Internet 
client is faking the REFUSED response itself. Again, it should be 
helpful in this situation to look at the logs on the master -- query 
logs -- to verify that the query actually got there.

- Kevin

More information about the bind-users mailing list