allow-transfer with distinct IP rejected

Nico CARTRON nicolas at ncartron.org
Wed Apr 26 07:23:21 UTC 2017


Hi Lars,

On 26-Apr-2017 09:10 CEST, <debian at lhanke.de> wrote:

> Am 26.04.2017 um 08:22 schrieb Steven Carr:
> > On 26 April 2017 at 06:53, Dr. Lars Hanke <debian at lhanke.de> wrote:
> > > allow-transfer { 172.16.11.35; };
> > This IP ^^^
> > 
> > > transfer of '178.168.192.in-addr.arpa/IN' from 172.16.10.16#53: failed while
> > > receiving responses: REFUSED
> > Is not the same as the IP the AXFR request is coming from? ^^^
> 
> At least it is the IP of the slave:
> 
> ifconfig eth0
> eth0      Link encap:Ethernet  HWaddr 00:16:3e:2b:22:05
>           inet addr:172.16.11.35  Bcast:172.16.11.255 Mask:255.255.255.0
> 
> dig @172.16.10.16 dmz.microsult.de. axfr
> 
> ; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @172.16.10.16 dmz.microsult.de. axfr
> ; (1 server found)
> ;; global options: +cmd
> ; Transfer failed.

BIND logs refers to the IP address 172.16.10.16, can you tell us what is this
IP?
It appears that this is this IP address which is trying to transfer the zone,
and as you are restricting zone transfers to the slave IP address
(172.16.11.35), it makes sense that this is refused.
And also explains why it works when you allow the entire /16.

Cheers,

-- 
Nico


More information about the bind-users mailing list