 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev- | Prev- | Bind- | Jan- | Next- | Next- |
| Subject: | Re: bind port problems |
| Group: | Bind-users |
| From: | Barry Margolin |
| Date: | 27 Jan 2008 |
wrote:
> Mark Andrews a ecrit :
> >> Hello,
> >>
> >> I'm trying to set up a secondary name serveur, on a server managed with
> >> plesk and behind a firewall with port 53 TCP and UDP open but I cannot
> >> manage to get a successfull zone transfer.
> >>
> >> This is what I het in my syslog :
> >>
> >> Jan 27 07:35:07 Serv1 named[4000]: client 92.193.254.8#59962: zone
> >> transfer 'domain.fr/IN' denied
> >>
> >> From what I understand from this message is that it failed to do a zone
> >> tranfer on 92.193.254.8 on port 59962 so normal it is denied as firwall
> >> blocks this port.
> >>
> >
> > No. The acl on the master blocked the transfer.
> >
> >
> >> However in my /etc/named.conf I've got :
> >>
> >> query-source address * port 53;
> >>
> >> I've done a /etc/init.d/bind9 reload
> >>
> >> And have waited for over 24 hours. And it still looks up on the wrond
> >> port. Any ideas where this error could come from?
> >>
> >
> > The port designator only applies to the source port for
> > UDP queries. AXFR uses TCP. Also the correct control
> > is transfer-source not query-source.
> >
> >
> >> I've alse added 92.193.254.8 to my ACL list in Plesk so this server
> >> should not be blocked.
> >>
> >
> > Which server? The master or the slave? Did you reload?
> >
> >
> >> Is the wrong port a problem on my side or is it a setting on the
> >> secondary name server?
> >>
> >> Thanks in advance for any advice, and if you need to see more of my
> >> settings please let me know.
> >>
> Thankyou,
> I'm working on the master server, I can only access I have to the slave
> server is to add a new domain.
> Yes I did reload. Can you see anything that looks like it could make the
> ACL block the slave server? Plesk automaticaly added :
> acl common-allow-transfer {
> 92.193.254.8;
> };
> So I guess it should allow the ns2.supplier ...
> And as I said above I've opened port 53 in TCP and UDP, and for testing
> purposes, I've opened all ports from 30000 to 60000 for the secondry
> server ... but it doesn't seem to change anything as you say it's the
> ACL blocking it.
>
> Here are the contents of my named.conf
You have the allow-transfer statement in "mydomain.fr", but the error
message about is for "domain.fr". Make sure the slave is really trying
to transfer the correct domain.
I suspect this isn't really the problem, but if you're going to
obfuscate your configuration and error messages, it makes it very
difficult for us to tell what's really the problem -- you could have
hidden the problem with all your editing.
>
> ---------------------------------------
> options {
> allow-recursion {
> localnets;
> };
> directory "/var";
> auth-nxdomain no;
> pid-file "/var/run/named/named.pid";
>
> // In addition to the "forwarders" clause, you can force your name
> // server to never initiate queries of its own, but always ask its
> // forwarders only, by enabling the following line:
> //
> // forward only;
>
> // If you've got a DNS server around at your upstream provider, enter
> // its IP address here, and enable the line below. This will make you
> // benefit from its cache, thus reduce overall DNS traffic in the Internet.
> /*
> forwarders {
> 127.0.0.1;
> };
> */
> query-source address * port 53;
>
> // dump-file "s/named_dump.db";
> };
>
> //Use with the following in named.conf, adjusting the allow list as needed:
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "DELETEDFORSECURITY";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> // Note: the following will be supported in a future release.
> /*
> host { any; } {
> topology {
> 127.0.0.0/8;
> };
> };
> */
>
> // Setting up secondaries is way easier and the rough picture for this
> // is explained below.
> //
> // If you enable a local name server, don't forget to enter 127.0.0.1
> // into your /etc/resolv.conf so this server will be queried first.
> // Also, make sure to enable it in /etc/rc.conf.
>
> zone "." {
> type hint;
> file "named.root";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "localhost.rev";
> };
> zone "domain.com" {
> type slave;
> file "s/domain.com.bak";
> masters {
> 192.168.1.1;
> };
> };
>
> zone "0.168.192.in-addr.arpa" {
> type slave;
> file "s/0.168.192.in-addr.arpa.bak";
> masters {
> 192.168.1.1;
> };
> };
> */
>
> zone "mydomain.fr" {
> type master;
> file "domain.fr";
> allow-transfer {
> 92.193.51.124;
> 92.193.254.8;
> common-allow-transfer;
> };
> };
> zone "34.191.88.in-addr.arpa" {
> type master;
> file "34.191.88.in-addr.arpa";
> allow-transfer {
> common-allow-transfer;
> };
> };
> acl common-allow-transfer {
> 92.193.254.8;
> };
> ----------------------
>
>
> Here is the file mydomain.fr :
> -----------------
> ; *** This file is automatically generated by Plesk ***
> $TTL 86400
>
> @ IN SOA ns1.mydomain.net. admin.mydomain.net. (
> 1201364974 ; Serial
> 10800 ; Refresh
> 3600 ; Retry
> 604800 ; Expire
> 10800 ) ; Minimum
>
> mydomain.fr. IN NS ns1.mydomain.net.
> mydomain.fr. IN NS ns2.supplier.fr.
> mydomain.fr. IN A 92.193.51.124
> webmail.mydomain.fr. IN A 92.193.51.124
> mail.mydomain.fr. IN A 92.193.51.124
> ftp.mydomain.fr. IN CNAME mydomain.fr.
> www.mydomain.fr. IN CNAME mydomain.fr.
> mydomain.fr. IN MX 10 mail.mydomain.fr.
> ---------------
>
> Thanks in advance,
>
> Richard
--
Barry Margolin, barmar
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
| Prev- | Prev- | Bind- | Jan- | Next- | Next- |