<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><br>
<div><br><blockquote type="cite"><div>On 23 May 2023, at 19.46, Kaya Saman <kayasaman@gmail.com> wrote:</div><br class="Apple-interchange-newline"><div>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div><p><br>
</p>
<div class="moz-cite-prefix">On 5/23/23 18:07, Sten Carlsen wrote:<br>
</div>
<blockquote type="cite" cite="mid:84768971-DE72-495D-BB34-62286BE42BAC@s-carlsen.dk">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 23 May 2023, at 19.00, Kaya Saman <a class="moz-txt-link-rfc2396E" href="mailto:kayasaman@gmail.com"><kayasaman@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 5/23/23 12:47, Matus UHLAR - fantomas wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 23.05.23 12:22, Kaya Saman wrote:
I've got a very strange problem that has emerged somehow after migrating my isp.
My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc...
Now when I try to run any type of check from mxtoolbox or other site eg. <a class="moz-txt-link-freetext" href="https://dnschecker.org/">https://dnschecker.org/</a> I am getting my private IP's showing instead of the public ones?
Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network).
As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now.
Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever.
Here's an example of the config in named.conf for the master:
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""></pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">view "external" {
match-clients { !internals; any; };
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">[...]
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">view "external" {
match-clients { !internals; any; };
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">I don't see your definition of "internals".
Also, I don't see your definition of internal view.
if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Finally, I understand what is going on and things get stranger....
The internal IP addressing is being served up by the slave servers. They seem to have pulled the file domain.db and renamed it to domain-external.db???
Of course the 'master' machine is already serving up domain-external.db to the public domain. This has the correct IP addressing with everything else such as dkim and dmarc.
So, currently I think the whole problem is stemming from the fact that the zone transfers are not working correctly for my external view between 'master' and 'slave' servers.
How can I do that without needing to traverse my NAT?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">When migrating ISP, are you sure that there is not another NAT in the ISP router?
That would explain this. The internet would present itself as 192.168.xx.xx and match your internals.</pre>
</blockquote><p><br>
</p><p>I can certainly ask. Though I am on a business package with
multiple static public IPv4 addresses. I think I have a /28 block
if memory serves me well....</p><p><br></p></div></div></blockquote>You might find that it has some kind of address translation built-in "to protect your business" or whatever. To me it still smells that way.</div><div>You might look at the IP address for the port you think is the internet - if that has an 192.168.x.x. or 172.16.x.x. or 10.x.x.x it would be clear that is what your problem is. It can still be solved but other setup details will be needed.</div><div><blockquote type="cite"><div><div><p>
</p><p>The crazy thing is that I am using the DNS check tool from
mxtoolbox. So far it's telling me:</p><p><br>
</p><p><span style="color: rgb(51, 51, 51); font-family: "Helvetica
Neue", Helvetica, Arial, sans-serif; font-size: 13px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(249, 249, 249); text-decoration-thickness:
initial; text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">Bad Glue
Detected</span><br style="box-sizing: border-box; color: rgb(51,
51, 51); font-family: "Helvetica Neue", Helvetica,
Arial, sans-serif; font-size: 13px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(249, 249,
249); text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial;">
<span class="internetSays" style="box-sizing: border-box;
font-family: "Courier New", Courier, monospace;
letter-spacing: 0.01em; color: rgb(51, 51, 51); font-size: 13px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; orphans: 2;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(249, 249,
249); text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial;">Parent server gave
glue for ns2.domain.com to be int_dns2 but we resolve that
hostname to ext_dns2<br>
</span></p><p><br>
</p><p>Another weird issue is that it's reading the serial from the zone
file to be:</p>
<table class="table table-striped table-bordered table-condensed tool-result-table" style="box-sizing: border-box; border-spacing:
0px; border-collapse: collapse; background-color: rgb(255, 255,
255); font-size: 13px; width: 1543px; max-width: 100%;
margin-bottom: 20px; border-width: 0px; border-top-style: initial;
border-right-style: initial; border-bottom-style: initial;
border-left-style: solid; border-top-color: initial;
border-right-color: initial; border-bottom-color: initial;
border-left-color: rgb(221, 221, 221); border-image: initial;
border-radius: 0px; color: rgb(51, 51, 51); font-family:
"Helvetica Neue", Helvetica, Arial, sans-serif;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: left; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration-thickness:
initial; text-decoration-style: initial; text-decoration-color:
initial;">
<tbody style="box-sizing: border-box;">
<tr style="box-sizing: border-box; background-color: rgb(249,
249, 249);">
<td class="table-column-Response" style="box-sizing:
border-box; padding: 5px; border: 1px solid rgb(221, 221,
221); line-height: 1.42857; vertical-align: top;"><br class="Apple-interchange-newline">
Serial numbers match<br style="box-sizing: border-box;">
<span class="internetSays" style="box-sizing: border-box;
font-family: "Courier New", Courier, monospace;
letter-spacing: 0.01em;">2022022801</span></td>
</tr>
</tbody>
</table><div><br class="webkit-block-placeholder"></div><p>That's my 'internal' zone! Not the 'external' zone and should not
be anywhere on the public internet at all.....</p><p><br>
</p>
<blockquote type="cite" cite="mid:84768971-DE72-495D-BB34-62286BE42BAC@s-carlsen.dk">
<pre class="moz-quote-pre" wrap=""></pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Currently I tried putting this into my master config:
zone "domain.com" {
type master;
file "/var/named/var/named/domain-external.db";
notify explicit;
also-notify { int_dns2; int_dns3; };
allow-transfer { ext_dns2; ext_dns3; };
allow-query { ext_dns2; ext_dns3; !internals; any; };
};
And this into my slave config:
zone "domain.com" {
type slave;
file "/var/named/var/named/domain-external.db";
masters { ext_dns1; };
// allow-notify { ext_dns1; };
allow-query { int_dns1; !internals; any; };
};
But it doesn't seem to mesh up?
The general.log file is telling me this:
zone domain.com/IN/external: refresh: retry limit for master ext_dns1#53 exceeded (source 0.0.0.0#0)
--
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""></pre>
</blockquote>
</div>
-- <br>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.<br><br><br>bind-users mailing list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></div></blockquote></div><br></body></html>