<div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div>Thanks Again Clark for your reply.</div><div><br></div><div>So can i infer that if
"<span style="color:rgb(0,0,255)">port 15010</span>" is defined in addition to <font color="#0000ff">also-notify to secondary on port 53</font> then secondary will receive same notification messages twice once on port 15010 and same notification on port 53?</div><div><br></div><div>And if we can remove "<span style="color:rgb(0,0,255)">port 15010</span>" in the option clause then notifications will be sent on IP/port specified only in also-notify below?</div><div><blockquote type="cite" style=""><div dir="ltr" style=""><div dir="ltr" style=""><div style=""><font color="#500050">options {</font><br><font color="#500050"> ..</font><br><font color="#500050"> </font><font color="#0000ff">port 15010; </font><font color="#500050"> </font><br><font color="#500050"> </font><font color="#0000ff">listen-on port 15010 { 127.0.0.1; };</font><br><font color="#500050"> </font><font color="#0000ff"> also-notify {<br> 10.1.2.4 port 53;<br> 10.1.2.5 port 53;<br> };</font><br><font color="#500050">};</font></div></div></div></blockquote></div><div><br></div><div>BR,</div><div>Vikas Sharma</div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Dec 17, 2022 at 10:12 AM Crist Clark <<a href="mailto:cjc%2Bbind-users@pumpky.net">cjc+bind-users@pumpky.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">I makes sense to me. </div><div dir="auto"><br></div><div dir="auto">You specify the “port” option, so the BIND server sends NOTIFY messages to its configured secondaries on that port. Yep, doing that.</div><div dir="auto"><br></div><div dir="auto">You also configured some “also-notify” servers to be notified on port 53. Yup, it’s doing that. Those servers happen to be the secondaries too.</div><div dir="auto"><br></div><div dir="auto">Not sure exactly what you’re try to accomplish with these settings, especially that “port” configuration, but it looks like it’s behaving consistently with the docs.</div><div dir="auto"><br></div><div dir="auto"><br></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 16, 2022 at 1:07 AM Vikas Sharma <<a href="mailto:er.sharmavikas@gmail.com" target="_blank">er.sharmavikas@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><br></div>Thanks Ondrej and Clark for quick reply,<div>i have gone through the documentation and really its very well written,</div><div><br></div><div>bind version used : 9.18.3</div><div>notification message = Zone Change Notification </div><div><br></div><div><div>referring to part of the option clause from the original mail . </div></div><div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div> port 15010; <br> listen-on port 15010 { 127.0.0.1; }; <br> also-notify {<br> 10.1.2.4 port 53; <br> 10.1.2.5 port 53;<br> };</div></div></div></blockquote></div><div>here i have <span style="background-color:rgb(255,255,255)"><font style="color:rgb(0,0,255)"> listen-on port 15010 { 127.0.0.1; } </font><font style="color:rgb(0,0,0)"> this means primary DNS is listening on port 15010,</font></span></div><div><span style="background-color:rgb(255,255,255)"><font style="color:rgb(0,0,0)">in also notify section i have secondary DNS server IP and port 53</font></span></div><div><font style="color:rgb(0,0,255)">also-notify {</font></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div><font style="color:rgb(0,0,255)"> 10.1.2.4 port 53; #=> notify should go on port 53 to secondary DNS<br> 10.1.2.5 port 53;<br> };</font></div></div></div></blockquote>so based on also-notify configuration primary DNS should send all notifications to Secondary DNS on dest port 53.</div><div dir="ltr"><br></div><div dir="ltr">now after adding <font style="color:rgb(0,0,255)">port 15010;</font> notifications are now going to secondary DNS on port 15010 also whereas notification on port 53 are also taking place.</div><div dir="ltr">so this behaviour is expected? </div><div dir="ltr">Port 15010 is neither completely overriding port 53 in also-notify nor port 15010 is ignored while sending notification to secondary DNS. </div><div dir="ltr"><br></div><div dir="ltr">and if all notification messages to dest port 15010 are dropped on secondary DNS, is there any impact?</div><div dir="ltr"><div><br></div><div>as per Clark's explanation "<span style="font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252);color:rgb(64,64,64)">port number the server uses to receive and </span><span style="font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252)"><font style="font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;color:rgb(255,0,0)"><b style="font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif">send</b></font></span><span style="font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252);color:rgb(64,64,64)"> DNS protocol traffic".</span> </div><div>then bind should use dest port 15010 for all notification to secondary DNS but notification is going to port 53 as well.</div><div><br></div><div>So when port 15010 will be used and when port 53 will be used while sending notification to secondary DNS?</div><div><br></div><div><br></div><div><b>BR,</b></div><div><b>Vikas Sharma<br></b><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 16, 2022 at 12:11 PM Ondřej Surý <<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi,<div><br></div><div>there’s really nice documentation for BIND 9, and it’s even online and have a section on the “port”: <a href="https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-port" target="_blank">https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-port</a><br><br>Also don’t limit the outgoing ports to a single number - that’s a bad security practice, you should be using the full range if possible.<br><br>Ondrej<br><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 16. 12. 2022, at 7:26, Vikas Sharma <<a href="mailto:er.sharmavikas@gmail.com" target="_blank">er.sharmavikas@gmail.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">Hi Team,<br> <br>we have following configuration in my named.conf<br>where i named process on primary DNS is listening on port 15010.<br>whereas secondary DNS is running on port 53.<br>All Notification to secondary DNS is forwarded on destination port 53 from primary DNS. <br> <br>Now when i add tag port 15010 in options clause on primary DNS, then i see some notification message being forwarded to secondary DNS to dest port 15010. these messages are in addition to notification to secondary DNS with dest port 53.<div>changing port value form 15010 to 20598 sends notification to secondary DSN on dest port 20598 in addition to notification to secondary on port 53.<br> <br>i have a firewall on secondary DNS which is rejecting all packets on port 15010/20598.<br>i see that all my data is populated on secondary DNS without any problem due to notifications to secondary DNS on port 53.<br> <br>query is why named is sending notification to secondary DNS on port 15010/20598 when regular notification is also going to secondary DNS on port 53.<br> <br> <br>acl theAllServers {<br> thePrimary;<br> theSecondary;<br> localhost;<br>};<br> <br>options {<br> directory "/var/opt/named";<br> pid-file "/var/opt/run/named.pid";<br> allow-transfer { theAllServers; };<br> allow-query { any; };<br> zone-statistics no;<br> notify yes;<br> max-cache-size 14297m;<br> max-journal-size 1048576;<br> port 15010; #=> used 20598 as well instead of 15010;<br> listen-on port 15010 { 127.0.0.1; };<br> also-notify {<br> 10.1.2.4 port 53;<br> 10.1.2.5 port 53;<br> };<br>};<br></div><div><br></div><div>Best Regards,</div><div>Vikas Sharma</div></div></div></blockquote></div></div></blockquote></div></div><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><blockquote type="cite"><div dir="ltr">
<span>-- </span><br><span>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a></span><br><span><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br></div></blockquote></div></div></blockquote></div></div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div>
</blockquote></div>