BIND Named: Set a Zone Transfer IP Address For Master DNS Server

I’ve three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:

LB1 - -> Master BIND 9.x
LB2 -  -> Slave BIND 9.x
LB3 - -> Slave BIND 9.x

So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):

Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer '' denied
Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer '' denied

A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP’s can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;

The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:

transfer-source 75.54.xx.xx;
use-alt-transfer-source yes;

Here is my sample named.conf file:

 // Slave server
        listen-on-v6 { none; };
        listen-on { xx.yy.zz.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { xx.yy.zz.yy;; };
        version "NS2 [BIND]";
        transfer-source  75.54.xx.xx  ;
        use-alt-transfer-source yes;
        channel default_debug {
                file "data/";
                severity dynamic;
/* KEYS for master server dnssec */
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "YOUR-KEY";
        server {
                keys { TRANSFER; };
/*  Get rndc key */
         include "/etc/rndc.key";
/*      Get localhost and other rfc stuff */
        include "/etc/named.rfc1912.zones";
/*      Get root server */
        include "/etc/named.root.hints";
/*      Get our zones */
        include "/etc/named.conf.zones.local";

Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
# rndc reload

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • Daniel Silva Jan 19, 2009 @ 14:17

    Thanks, dude… I was having the same error on my DNS Master Server. Your post help me to solve that problem. 🙂

  • Marco Belmonte May 23, 2011 @ 6:28

    Nice find – despite having listen-on set explicitely – zone transfers were still being initiated from my non-aliased interface… Thanks for the help!

  • WebHost Dec 12, 2011 @ 20:08

    Switching a few of my sites over to ubuntu servers, and I am having a hell of a time trying to get bind9 working. Just want to setup slave zones on a secondary server, and use my windows 2003 box as a master, and the transfer never seems to happen.

    Even when I add a master zone, and an a record to it, doing a dig doesn’t produce results.

    What am I missing here?

  • WebHost Dec 12, 2011 @ 20:17

    Ok, so not getting the master’s A records was my bad. It was due to the fact that I had restricted the allow query options with a list.
    Still not able to transfer info over from the master node the slave node though.

  • Dano Oct 26, 2014 @ 17:34

    Sadly, this doesn’t work for me. I also tried this:

    …which is actually the opposite of the advice given here!

    Every install that I’ve done has something different about it and has always taken me hours to even days to get working. Right now I’m trying to setup a simple slave using debian wheezy and jessie/testing. Both are giving me problems. The wheezy install, NO MATTER WHAT I DO will only initiate transfers on the main IP, not the alias IP, DESPITE having listen-on, et all set to just one IP. And the logging is a total mystery which is near impossible to grasp. Sometimes you get loads of errors and the thing works, other times there are no errors and nothing seems to work.

    BIND is royal convoluted a POS IMO.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum