What to report for "refresh: failure trying master ... operation canceled" bug?
Bob Harold
rharolde at umich.edu
Wed Nov 23 15:54:09 UTC 2016
On Mon, Nov 21, 2016 at 7:02 PM, schilling <schilling2006 at gmail.com> wrote:
> added both tcp and udp port 53, still seeing the log messages.
>
> Best,
>
> Shiling
>
> On Mon, Nov 21, 2016 at 5:45 PM, Anand Buddhdev <anandb at ripe.net> wrote:
>
>> On 22/11/2016 00:27, schilling wrote:
>>
>> > Thanks for the insight.
>> > I added the following rule
>> > sudo firewall-cmd --permanent --direct --get-all-rules
>> > [sudo] password for admin:
>> > ipv4 filter OUTPUT 0 -d 10.10.10.100 -p tcp -m tcp --dport=53 -j ACCEPT
>> > where 10.10.10.100 is our DNS master, still receiving the error.
>>
>> Why have you only allowed TCP port 53? What about UDP port 53? BIND
>> first sends a UDP query to the master for the zone's SOA record, to
>> determine if it needs to transfer the zone or not.
>>
>> Regards,
>> Anand
>>
>
>
I don't have a solution, but some debugging options:
I would suggest running packet traces with the same steps, with and without
the firewall, and compare the traces.
Also, if possible, turn on logging in the firewall and see what is being
blocked.
You could also turn on BIND debugging - see the appendix of the "DNS and
BIND" book for debugging help.
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161123/54a62353/attachment.html>
More information about the bind-users
mailing list