I've three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:
LB1 - 202.54.1.2 -> Master BIND 9.x LB2 - 75.54.1.2 -> Slave BIND 9.x LB3 - 41.54.1.2 -> Slave BIND 9.x
So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):
Jan 1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer 'example.com/AXFR/IN' denied Jan 1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer 'example.org/AXFR/IN' denied
A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP's can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;
The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:
transfer-source 75.54.xx.xx; use-alt-transfer-source yes;
Here is my sample named.conf file:
// Slave server ns2.example.com options { listen-on-v6 { none; }; listen-on { xx.yy.zz.yy; }; directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; dnssec-enable yes; recursion no; allow-notify { xx.yy.zz.yy; aa.bb.cc.dd; }; version "NS2 [BIND]"; transfer-source 75.54.xx.xx ; use-alt-transfer-source yes; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; /* KEYS for master server dnssec */ key "TRANSFER" { algorithm hmac-md5; secret "YOUR-KEY"; }; server aa.bb.cc.dd { keys { TRANSFER; }; }; /* Get rndc key */ include "/etc/rndc.key"; /* Get localhost and other rfc stuff */ include "/etc/named.rfc1912.zones"; /* Get root server */ include "/etc/named.root.hints"; /* Get our zones */ include "/etc/named.conf.zones.local";
Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
OR
# rndc reload
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 4 comments… read them below or add one }
Thanks, dude… I was having the same error on my DNS Master Server. Your post help me to solve that problem. :)
Nice find – despite having listen-on set explicitely – zone transfers were still being initiated from my non-aliased interface… Thanks for the help!
Switching a few of my sites over to ubuntu servers, and I am having a hell of a time trying to get bind9 working. Just want to setup slave zones on a secondary server, and use my windows 2003 box as a master, and the transfer never seems to happen.
Even when I add a master zone, and an a record to it, doing a dig doesn’t produce results.
What am I missing here?
Ok, so not getting the master’s A records was my bad. It was due to the fact that I had restricted the allow query options with a list.
Still not able to transfer info over from the master node the slave node though.