Newbie - Zone Transfer Denied

Dixon, Justin Justin.Dixon at BBandT.com
Mon Aug 28 12:33:27 UTC 2006


It appears that you have your slave server setup as the master of the
zone in named.conf on the slave server...

See Below:

>include "/etc/named.conf.include";
> zone "tuxland.com" in {
>         type slave;
>         file "slave/datadnsslave.tuxland.com";
>         allow-query { any; };
>         allow-transfer { 100.100.100.2; };
>         masters { 100.100.100.2; }; <-----This appears to be the IP of
your slave server,
not the master
> };


-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Mark Andrews
Sent: Sunday, August 27, 2006 20:01
To: creature gijon
Cc: bind-users at isc.org
Subject: Re: Newbie - Zone Transfer Denied


> Hi there,
> I'm new with BIND and got this message when trying to receive zones in
a
> slave from the master:
> 
> Aug 27 15:51:37 mortadelo named[10644]: zone tuxland.com/IN: Transfer
> started.
> Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
from
> 100.100.100.2#53: connected using 100.100.100.1#37276
> Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
from
> 100.100.100.2#53: failed while receiving responses: REFUSED
> Aug 27 15:51:37 mortadelo named[10644]: transfer of 'tuxland.com/IN'
from
> 100.100.100.2#53: end of transfer
> 
> In the machine with the master got the message:
> 
> Aug 27 16:53:52 filemon named[7231]: running
> Aug 27 16:54:41 filemon named[7231]: client
::ffff:100.100.100.1#37276: zone
> transfer 'tuxland.com/IN' denied
>>
>>	Now if the platform has a non-broken IPv6 stack we wouldn't see
>>	this.
>>
>>	To workaround the broken IPv6 stack set
>>
>>		match-mapped-addresses yes;
>> 
> There is no firewall active.
> Any idea about what i'm doing wrong?
> Thanks in advance for your help.
> Below you can find the named.conf from the master, from the slave, and
"
> tuxland.com" zone file data:
> 
> By the way, i'm using Suse10.
> 
> **********************************
> Machine: mortadelo
> Acting as DNS server master
> named.conf data
> *********************************
> # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
> # All rights reserved.
> #
> # Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
> #
> # /etc/named.conf
> #
> # This is a sample configuration file for the name server BIND 9.  It
works
> as
> # a caching only name server without modification.
> #
> # A sample configuration for setting up your own domain can be found
in
> # /usr/share/doc/packages/bind/sample-config.
> #
> # A description of all available options can be found in
> # /usr/share/doc/packages/bind/misc/options.
> 
> options {
> 
>         # The directory statement defines the name server's working
> directory
> 
>         directory "/var/lib/named";
> 
>         # Write dump and statistics file to the log subdirectory.  The
>         # pathenames are relative to the chroot jail.
> 
>         dump-file "/var/log/named_dump.db";
>         statistics-file "/var/log/named.stats";
> 
>         # The forwarders record contains a list of servers to which
queries
>         # should be forwarded.  Enable this line and modify the IP
address
> to
>         # your provider's name server.  Up to three servers may be
listed.
> 
>         #forwarders { 192.0.2.1; 192.0.2.2; };
> 
>         # Enable the next entry to prefer usage of the name server
declared
> in
>         # the forwarders section.
> 
>         #forward first;
> 
>         # The listen-on record contains a list of local network
interfaces
> to
>         # listen on.  Optionally the port can be specified.  Default
is to
>         # listen on all interfaces found on your system.  The default
port
> is
>         # 53.
> 
>         #listen-on port 53 { 127.0.0.1; };
> 
>         # The listen-on-v6 record enables or disables listening on
IPv6
>         # interfaces.  Allowed values are 'any' and 'none' or a list
of
>         # addresses.
> 
>         listen-on-v6 { any; };
> 
>         # The next three statements may be needed if a firewall stands
> between
>         # the local server and the internet.
> 
>         #query-source address * port 53;
>         #transfer-source * port 53;
>         #notify-source * port 53;
> 
>         # The allow-query record contains a list of networks or IP
addresses
>         # to accept and deny queries from. The default is to allow
queries
>         # from all hosts.
> 
>         #allow-query { 127.0.0.1; };
> 
>         # If notify is set to yes (default), notify messages are sent
to
> other
>         # name servers when the the zone data is changed.  Instead of
> setting
>         # a global 'notify' statement in the 'options' section, a
separate
>         # 'notify' can be added to each zone definition.
> 
>         notify no;
>         forwarders { 82.82.82.82; 83.83.83.83; };
> };
> 
> # To configure named's logging remove the leading '#' characters of
the
> # following examples.
> #logging {
> #       # Log queries to a file limited to a size of 100 MB.
> #       channel query_logging {
> #               file "/var/log/named_querylog"
> #                       versions 3 size 100M;
> #               print-time yes;                 // timestamp log
entries
> #       };
> #       category queries {
> #               query_logging;
> #       };
> #
> #       # Or log this kind alternatively to syslog.
> #       channel syslog_queries {
> #               syslog user;
> #               severity info;
> #       };
> #       category queries { syslog_queries; };
> #
> #       # Log general name server errors to syslog.
> #       channel syslog_errors {
> #               syslog user;
> #               severity error;
> #       };
> #       category default { syslog_errors;  };
> #
> #       # Don't log lame server messages.
> #       category lame-servers { null; };
> #};
> 
> # The following zone definitions don't need any modification.  The
first one
> # is the definition of the root name servers.  The second one defines
> # localhost while the third defines the reverse lookup for localhost.
> 
> zone "." in {
>         type hint;
>         file "root.hint";
> };
> 
> zone "localhost" in {
>         type master;
>         file "localhost.zone";
> };
> 
> zone "0.0.127.in-addr.arpa" in {
>         type master;
>         file "127.0.0.zone";
> };
> 
> # Include the meta include file generated by createNamedConfInclude.
This
> # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
> # /etc/sysconfig/named
> 
> include "/etc/named.conf.include";
> zone "tuxland.com" in {
>         file "master/tuxland.com";
>         type master;
>         allow-query { any; };
>         allow-transfer { 100.100.100.1; };
> };
> 
> # You can insert further zone records for your own domains below or
create
> # single files in /etc/named.d/ and add the file names to
> # NAMED_CONF_INCLUDE_FILES.
> # See /usr/share/doc/packages/bind/README.SuSE for more details.
> 
> 
> 
> 
> **********************************
> Machine: mortadelo
> Acting as DNS server master
> tuxland.com file data
> *********************************
> 
> $TTL 2d
> @               IN SOA          tuxland.com.    root.tuxland.com. (
>                                 2006082502      ; serial
>                                 3h              ; refresh
>                                 1h              ; retry
>                                 1w              ; expiry
>                                 1d )            ; minimum
> 
> @       IN NS           dnsmaster.tuxland.com.
> @       IN NS           dnsslave.tuxland.com.
> 
> @                 IN A            100.100.100.2
> dnsmaster     IN A            100.100.100.2
> dnsslave        IN A            100.100.100.1
> 
> **********************************
> Machine: filemon
> Acting as DNS server slave
> named.conf file
> *********************************
> # Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
> # All rights reserved.
> #
> # Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
> #
> # /etc/named.conf
> #
> # This is a sample configuration file for the name server BIND 9.  It
works
> as
> # a caching only name server without modification.
> #
> # A sample configuration for setting up your own domain can be found
in
> # /usr/share/doc/packages/bind/sample-config.
> #
> # A description of all available options can be found in
> # /usr/share/doc/packages/bind/misc/options.
> 
> options {
> 
>         # The directory statement defines the name server's working
> directory
> 
>         directory "/var/lib/named";
> 
>         # Write dump and statistics file to the log subdirectory.  The
>         # pathenames are relative to the chroot jail.
> 
>         dump-file "/var/log/named_dump.db";
>         statistics-file "/var/log/named.stats";
> 
>         # The forwarders record contains a list of servers to which
queries
>         # should be forwarded.  Enable this line and modify the IP
address
> to
>         # your provider's name server.  Up to three servers may be
listed.
> 
>         forwarders { 82.82.82.82; 83.83.83.83; };
> 
>         # Enable the next entry to prefer usage of the name server
declared
> in
>         # the forwarders section.
> 
>         #forward first;
> 
>         # The listen-on record contains a list of local network
interfaces
> to
>         # listen on.  Optionally the port can be specified.  Default
is to
>         # listen on all interfaces found on your system.  The default
port
> is
>         # 53.
> 
>         #listen-on port 53 { 127.0.0.1; };
> 
>         # The listen-on-v6 record enables or disables listening on
IPv6
>         # interfaces.  Allowed values are 'any' and 'none' or a list
of
>         # addresses.
> 
>         listen-on-v6 { any; };
> 
>         # The next three statements may be needed if a firewall stands
> between
>         # the local server and the internet.
> 
>         #query-source address * port 53;
>         #transfer-source * port 53;
>         #notify-source * port 53;
> 
>         # The allow-query record contains a list of networks or IP
addresses
>         # to accept and deny queries from. The default is to allow
queries
>         # from all hosts.
> 
>         #allow-query { 127.0.0.1; };
> 
>         # If notify is set to yes (default), notify messages are sent
to
> other
>         # name servers when the the zone data is changed.  Instead of
> setting
>         # a global 'notify' statement in the 'options' section, a
separate
>         # 'notify' can be added to each zone definition.
> 
>         notify no;
> };
> 
> # To configure named's logging remove the leading '#' characters of
the
> # following examples.
> #logging {
> #       # Log queries to a file limited to a size of 100 MB.
> #       channel query_logging {
> #               file "/var/log/named_querylog"
> #                       versions 3 size 100M;
> #               print-time yes;                 // timestamp log
entries
> #       };
> #       category queries {
> #               query_logging;
> #       };
> #
> #       # Or log this kind alternatively to syslog.
> #       channel syslog_queries {
> #               syslog user;
> #               severity info;
> #       };
> #       category queries { syslog_queries; };
> #
> #       # Log general name server errors to syslog.
> #       channel syslog_errors {
> #               syslog user;
> #               severity error;
> #       };
> #       category default { syslog_errors;  };
> #
> #       # Don't log lame server messages.
> #       category lame-servers { null; };
> #};
> 
> # The following zone definitions don't need any modification.  The
first one
> # is the definition of the root name servers.  The second one defines
> # localhost while the third defines the reverse lookup for localhost.
> 
> zone "." in {
>         type hint;
>         file "root.hint";
> };
> 
> 
> zone "localhost" in {
>         type master;
>         file "localhost.zone";
> };
> 
> zone "0.0.127.in-addr.arpa" in {
>         type master;
>         file "127.0.0.zone";
> };
> 
> # Include the meta include file generated by createNamedConfInclude.
This
> # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
> # /etc/sysconfig/named
> 
> include "/etc/named.conf.include";
> zone "tuxland.com" in {
>         type slave;
>         file "slave/datadnsslave.tuxland.com";
>         allow-query { any; };
>         allow-transfer { 100.100.100.2; };
>         masters { 100.100.100.2; };
> };
> 
> # You can insert further zone records for your own domains below or
create
> # single files in /etc/named.d/ and add the file names to
> # NAMED_CONF_INCLUDE_FILES.
> # See /usr/share/doc/packages/bind/README.SUSE for more details.
> 
> 
> 
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org






More information about the bind-users mailing list