Yeap, that's what my issue is :-)
On 31/07/2023 18:09, Ondřej Surý wrote:
Well, for starters your primaries list 192.168.2.10, but your logs show
connection from 192.168.1.1…
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 31. 7. 2023, at 9:51, duluxoz<dulu...@gmail.com> wrote:
Hi Ondřej,
Sorry, force of habit (re: "example.com").
External Secondary DNS Server (ns1.mjb-co.com):
~~~
acl "bogusnets" {
!"internal_hosts";
0.0.0.0/8;
10.0.0.0/8;
172.16.0.0/12;
192.0.2.0/24;
192.168.0.0/16;
224.0.0.0/3;
};
acl "internal_hosts" {
192.168.1.0/24;
192.168.2.0/24;
192.168.3.0/24;
};
acl "secondary_external_servers" {
192.168.1.10/32;
};
acl "secondary_internal_servers" {
192.168.2.11/32;
192.168.2.12/32;
};
acl "ddns_servers" {
"localhost";
192.168.2.10/32;
192.168.2.11/32;
};
acl "rndc_servers" {
"localhost";
192.168.2.10/32;
};
acl "stats_hosts" {
192.168.2.0/24;
};
controls {
inet 0.0.0.0 port 953 allow {
"rndc_servers";
} keys {
"rndc-key";
};
};
logging {
channel "auth_servers_log" {
file "/var/log/named/auth_servers.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "client_security_log" {
file "/var/log/named/client_security.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_log" {
file "/var/log/named/default.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_debug_log" {
file "/var/log/named/default_debug.log" versions 3 size 20971520
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "ddns_log" {
file "/var/log/named/ddns.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnssec_log" {
file "/var/log/named/dnssec.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnstap_log" {
file "/var/log/named/dnstap.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "queries_log" {
file "/var/log/named/queries.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_errors_log" {
file "/var/log/named/query_errors.log" versions 3 size 20971520 suffix
timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rate_limiting_log" {
file "/var/named/log/rate_limiting.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rpz_log" {
file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "zone_transfers_log" {
file "/var/log/named/zone_transfers.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "client" {
"client_security_log";
"default_debug";
};
category "dnssec" {
"dnssec_log";
"default_debug";
};
category "default" {
"default_syslog";
"default_debug";
"default_log";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "lame-servers" {
"auth_servers_log";
"default_debug";
};
category "notify" {
"zone_transfers_log";
"default_debug";
};
category "resolver" {
"auth_servers_log";
"default_debug";
};
category "security" {
"client_security_log";
"default_debug";
};
category "update" {
"ddns_log";
"default_debug";
};
category "update-security" {
"ddns_log";
"default_debug";
};
category "xfer-in" {
"zone_transfers_log";
"default_debug";
};
category "xfer-out" {
"zone_transfers_log";
"default_debug";
};
};
options {
blackhole {
"bogusnets";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
flush-zones-on-shutdown yes;
managed-keys-directory "/var/named/dynamic";
memstatistics yes;
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
version "Not Currently Available";
disable-algorithms "." {
"RSAMD5";
"RSASHA1";
"NSEC3RSASHA1";
"DSA";
};
disable-ds-digests "." {
"SHA-1";
"GOST";
};
recursion no;
allow-query {
"any";
};
allow-transfer {
"none";
};
multi-master no;
zone-statistics yes;
};
primaries "primary_servers" {
192.168.2.10;
};
statistics-channels {
inet 0.0.0.0 port 60443 allow {
"stats_hosts";
};
};
key "ddns-key" {
algorithm "hmac-sha512";
secret
"????????????????????????????????????????????????????????????????????????????????????????";
};
key "rndc-key" {
algorithm "hmac-sha512";
secret
"????????????????????????????????????????????????????????????????????????????????????????";
};
server 192.168.1.10/32 {
keys "ddns-key";
};
server 192.168.1.20/32 {
keys "ddns-key";
};
server 192.168.2.10/32 {
keys "ddns-key";
};
server 192.168.2.11/32 {
keys "ddns-key";
};
server 192.168.2.12/32 {
keys "ddns-key";
};
zone "190.115.103.IN-ADDR.ARPA." in {
type secondary;
file "slaves/cached.103.115.190.rev.zone";
primaries {
"primary_servers";
};
};
zone "mjb-co.com" in {
type secondary;
file "secondaries/cached.mjb-co.com.zone";
primaries {
"primary_servers";
};
};
~~~
On 31/07/2023 17:29, Ondřej Surý wrote:
Hi,
it’s hard to help you if you don’t provide your configuration (named-checkconf
-px) and use example.com instead of real domain names. Are even the IP
addresses real?
Ondřej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 31. 7. 2023, at 9:23, duluxoz<dulu...@gmail.com> wrote:
Hi All,
Hoping someone can help with this: I've got a primary dns server on an internal
network (192.168.2.10/24) and an external secondary dns server on the dmz
network (192.168.1.10/24). The gateway for each (ie the router) is 192.168.x.1.
The external domain is dynamic, with dnssec set up, and everything *seems* to
be working correctly.
So I did a rndc to update a record in the external zone on the primary. The
primary's logs show that the update went through and that a zone transfer
notification was sent out to the external secondary. I can also see the updated
record in the (raw) zone file on the primary.
The external secondary's logs show that it received the zone update notification, BUT
that it was coming from the gateway's IP and not the primary server, and thus because the
gateway's IP was not in the "primaries" ACL it was/is being refused.
I don't know if its relevant but the external zone has the `dnssec-policy
default` option set.
The (what I think are the relevant) parts of the external secondary's logs are:
~~~
31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8
192.168.1.1#36875: received notify for zone 'example.com'
31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify
from non-master: 192.168.1.1#36875
~~~
Can someone please point me in the correct direction to resolve this issue? I can provide
further info if required. I am reluctant to add the gateway's IP to the
"primaries" ACL because its also the external gateway for the site, and I
believe that adding the gateway's IP to the ACL will be a (major) security issue.
Thanks in advance
Dulux-Oz
--
Visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us athttps://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Peregrine IT Signature
*Matthew J BLACK*
M.Inf.Tech.(Data Comms)
MBA
B.Sc.
MACS (Snr), CP, IP3P
When you want it done /right/ ‒ the first time!
Phone: +61 4 0411 0089
Email: matt...@peregrineit.net <mailto:matt...@peregrineit.net>
Web: www.peregrineit.net <http://www.peregrineit.net>
View Matthew J BLACK's profile on LinkedIn
<http://au.linkedin.com/in/mjblack>
This Email is intended only for the addressee. Its use is limited to
that intended by the author at the time and it is not to be distributed
without the author’s consent. You must not use or disclose the contents
of this Email, or add the sender’s Email address to any database, list
or mailing list unless you are expressly authorised to do so. Unless
otherwise stated, Peregrine I.T. Pty Ltd accepts no liability for the
contents of this Email except where subsequently confirmed in
writing. The opinions expressed in this Email are those of the author
and do not necessarily represent the views of Peregrine I.T. Pty
Ltd. This Email is confidential and may be subject to a claim of legal
privilege.
If you have received this Email in error, please notify the author and
delete this message immediately.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
