Zone Transfers Being Refused
Hi All, Hoping someone can help with this: I've got a primary dns server on an internal network (192.168.2.10/24) and an external secondary dns server on the dmz network (192.168.1.10/24). The gateway for each (ie the router) is 192.168.x.1. The external domain is dynamic, with dnssec set up, and everything *seems* to be working correctly. So I did a rndc to update a record in the external zone on the primary. The primary's logs show that the update went through and that a zone transfer notification was sent out to the external secondary. I can also see the updated record in the (raw) zone file on the primary. The external secondary's logs show that it received the zone update notification, BUT that it was coming from the gateway's IP and not the primary server, and thus because the gateway's IP was not in the "primaries" ACL it was/is being refused. I don't know if its relevant but the external zone has the `dnssec-policy default` option set. The (what I think are the relevant) parts of the external secondary's logs are: ~~~ 31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8 192.168.1.1#36875: received notify for zone 'example.com' 31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify from non-master: 192.168.1.1#36875 ~~~ Can someone please point me in the correct direction to resolve this issue? I can provide further info if required. I am reluctant to add the gateway's IP to the "primaries" ACL because its also the external gateway for the site, and I believe that adding the gateway's IP to the ACL will be a (major) security issue. Thanks in advance Dulux-Oz -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Transfers Being Refused
Hi, it’s hard to help you if you don’t provide your configuration (named-checkconf -px) and use example.com instead of real domain names. Are even the IP addresses real? Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 31. 7. 2023, at 9:23, duluxoz wrote: > > Hi All, > > Hoping someone can help with this: I've got a primary dns server on an > internal network (192.168.2.10/24) and an external secondary dns server on > the dmz network (192.168.1.10/24). The gateway for each (ie the router) is > 192.168.x.1. > > The external domain is dynamic, with dnssec set up, and everything *seems* to > be working correctly. > > So I did a rndc to update a record in the external zone on the primary. The > primary's logs show that the update went through and that a zone transfer > notification was sent out to the external secondary. I can also see the > updated record in the (raw) zone file on the primary. > > The external secondary's logs show that it received the zone update > notification, BUT that it was coming from the gateway's IP and not the > primary server, and thus because the gateway's IP was not in the "primaries" > ACL it was/is being refused. > > I don't know if its relevant but the external zone has the `dnssec-policy > default` option set. > > The (what I think are the relevant) parts of the external secondary's logs > are: > > ~~~ > > 31-Jul-2023 16:23:14.182 notify: info: client @0x7ff49061ecc8 > 192.168.1.1#36875: received notify for zone 'example.com' > > 31-Jul-2023 16:23:14.182 general: info: zone example.com/IN: refused notify > from non-master: 192.168.1.1#36875 > > ~~~ > > Can someone please point me in the correct direction to resolve this issue? I > can provide further info if required. I am reluctant to add the gateway's IP > to the "primaries" ACL because its also the external gateway for the site, > and I believe that adding the gateway's IP to the ACL will be a (major) > security issue. > > Thanks in advance > > Dulux-Oz > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Transfers Being Refused
Hi Ondřej,
Sorry, force of habit (re: "example.com").
External Secondary DNS Server (ns1.mjb-co.com):
~~~
acl "bogusnets" {
!"internal_hosts";
0.0.0.0/8;
10.0.0.0/8;
172.16.0.0/12;
192.0.2.0/24;
192.168.0.0/16;
224.0.0.0/3;
};
acl "internal_hosts" {
192.168.1.0/24;
192.168.2.0/24;
192.168.3.0/24;
};
acl "secondary_external_servers" {
192.168.1.10/32;
};
acl "secondary_internal_servers" {
192.168.2.11/32;
192.168.2.12/32;
};
acl "ddns_servers" {
"localhost";
192.168.2.10/32;
192.168.2.11/32;
};
acl "rndc_servers" {
"localhost";
192.168.2.10/32;
};
acl "stats_hosts" {
192.168.2.0/24;
};
controls {
inet 0.0.0.0 port 953 allow {
"rndc_servers";
} keys {
"rndc-key";
};
};
logging {
channel "auth_servers_log" {
file "/var/log/named/auth_servers.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "client_security_log" {
file "/var/log/named/client_security.log" versions 3 size
20971520 suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_log" {
file "/var/log/named/default.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_debug_log" {
file "/var/log/named/default_debug.log" versions 3 size
20971520 suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "ddns_log" {
file "/var/log/named/ddns.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnssec_log" {
file "/var/log/named/dnssec.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnstap_log" {
file "/var/log/named/dnstap.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "queries_log" {
file "/var/log/named/queries.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_errors_log" {
file "/var/log/named/query_errors.log" versions 3 size 20971520
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rate_limiting_log" {
file "/var/named/log/rate_limiting.log" versions 3 size
20971520 suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rpz_log" {
file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "zone_transfers_log" {
file "/var/log/named/zone_transfers.log" versions 3 size
20971520 suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "client" {
"client_security_log";
"default_debug";
};
category "dnssec" {
"dnssec_log";
"default_debug";
};
category "default" {
"default_syslog";
"default_debug";
"default_log";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "lame-servers" {
"auth_servers_log";
"default_debug";
};
category "notify" {
"zone_transfers_log";
"default_debug";
};
category "resolver" {
"auth_servers_log";
"default_debug";
};
category "security" {
"client_security_log";
"default_debug";
};
category "update" {
"ddns_log";
"default_debug";
};
category "update-security" {
"ddns_log";
"default_debug";
};
category "xfer-in" {
"zone_transfers_log";
"default_debug";
};
category "xfer-out" {
"zone_transfers_log";
"default_debug";
};
};
options {
blackhole {
"bogusnets";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
flush-zones-on-shutdown yes;
managed-keys-directory "/var/named/dynamic";
memstatistics yes;
memstatistics-file "/var/named/data/named_mem_stats.txt";
Re: Zone Transfers Being Refused
Well, for starters your primaries list 192.168.2.10, but your logs show
connection from 192.168.1.1…
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 31. 7. 2023, at 9:51, duluxoz wrote:
>
> Hi Ondřej,
>
> Sorry, force of habit (re: "example.com").
>
> External Secondary DNS Server (ns1.mjb-co.com):
>
> ~~~
>
> acl "bogusnets" {
> !"internal_hosts";
> 0.0.0.0/8;
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.0.2.0/24;
> 192.168.0.0/16;
> 224.0.0.0/3;
> };
> acl "internal_hosts" {
> 192.168.1.0/24;
> 192.168.2.0/24;
> 192.168.3.0/24;
> };
> acl "secondary_external_servers" {
> 192.168.1.10/32;
> };
> acl "secondary_internal_servers" {
> 192.168.2.11/32;
> 192.168.2.12/32;
> };
> acl "ddns_servers" {
> "localhost";
> 192.168.2.10/32;
> 192.168.2.11/32;
> };
> acl "rndc_servers" {
> "localhost";
> 192.168.2.10/32;
> };
> acl "stats_hosts" {
> 192.168.2.0/24;
> };
> controls {
> inet 0.0.0.0 port 953 allow {
> "rndc_servers";
> } keys {
> "rndc-key";
> };
> };
> logging {
> channel "auth_servers_log" {
> file "/var/log/named/auth_servers.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "client_security_log" {
> file "/var/log/named/client_security.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_log" {
> file "/var/log/named/default.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "default_debug_log" {
> file "/var/log/named/default_debug.log" versions 3 size 20971520
> suffix timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "ddns_log" {
> file "/var/log/named/ddns.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnssec_log" {
> file "/var/log/named/dnssec.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "dnstap_log" {
> file "/var/log/named/dnstap.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "queries_log" {
> file "/var/log/named/queries.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "query_errors_log" {
> file "/var/log/named/query_errors.log" versions 3 size 20971520
> suffix timestamp;
> severity dynamic;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "rate_limiting_log" {
> file "/var/named/log/rate_limiting.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "rpz_log" {
> file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
> timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> channel "zone_transfers_log" {
> file "/var/log/named/zone_transfers.log" versions 3 size 20971520
> suffix timestamp;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category "client" {
> "client_security_log";
> "default_debug";
> };
> category "dnssec" {
> "dnssec_log";
> "default_debug";
> };
> category "default" {
> "default_syslog";
> "default_debug";
> "default_log";
> };
> category "delegation-only" {
> "auth_servers_log";
> "default_debug";
> };
> category "edns-disabled" {
> "auth_servers_log";
> "default_debug";
> };
> category "lame-servers" {
> "auth_servers_log";
> "default_debug";
> };
> category "notify" {
> "zone_transfers_log";
> "default_debug";
> };
> category "resolver" {
> "auth_servers_log";
> "default_debug";
> };
> category "security" {
> "client_security_log";
>
Re: Zone Transfers Being Refused
Yeap, that's what my issue is :-)
On 31/07/2023 18:09, Ondřej Surý wrote:
Well, for starters your primaries list 192.168.2.10, but your logs show
connection from 192.168.1.1…
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 31. 7. 2023, at 9:51, duluxoz wrote:
Hi Ondřej,
Sorry, force of habit (re: "example.com").
External Secondary DNS Server (ns1.mjb-co.com):
~~~
acl "bogusnets" {
!"internal_hosts";
0.0.0.0/8;
10.0.0.0/8;
172.16.0.0/12;
192.0.2.0/24;
192.168.0.0/16;
224.0.0.0/3;
};
acl "internal_hosts" {
192.168.1.0/24;
192.168.2.0/24;
192.168.3.0/24;
};
acl "secondary_external_servers" {
192.168.1.10/32;
};
acl "secondary_internal_servers" {
192.168.2.11/32;
192.168.2.12/32;
};
acl "ddns_servers" {
"localhost";
192.168.2.10/32;
192.168.2.11/32;
};
acl "rndc_servers" {
"localhost";
192.168.2.10/32;
};
acl "stats_hosts" {
192.168.2.0/24;
};
controls {
inet 0.0.0.0 port 953 allow {
"rndc_servers";
} keys {
"rndc-key";
};
};
logging {
channel "auth_servers_log" {
file "/var/log/named/auth_servers.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "client_security_log" {
file "/var/log/named/client_security.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_log" {
file "/var/log/named/default.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_debug_log" {
file "/var/log/named/default_debug.log" versions 3 size 20971520
suffix timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "ddns_log" {
file "/var/log/named/ddns.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnssec_log" {
file "/var/log/named/dnssec.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnstap_log" {
file "/var/log/named/dnstap.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "queries_log" {
file "/var/log/named/queries.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_errors_log" {
file "/var/log/named/query_errors.log" versions 3 size 20971520 suffix
timestamp;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rate_limiting_log" {
file "/var/named/log/rate_limiting.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rpz_log" {
file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "zone_transfers_log" {
file "/var/log/named/zone_transfers.log" versions 3 size 20971520
suffix timestamp;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "client" {
"client_security_log";
"default_debug";
};
category "dnssec" {
"dnssec_log";
"default_debug";
};
category "default" {
"default_syslog";
"default_debug";
"default_log";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "lame-servers" {
"auth_servers_log";
"default_debug";
};
category "notify" {
"zone_transfers_log";
"default_debug";
};
category "resolver" {
"auth_servers_log";
"default_debug";
};
category "security" {
"client_security_log";
"default_debug";
};
category "update" {
"ddns_log";
"default_debug";
};
category "update-security" {
Re: Zone Transfers Being Refused
Hi Dulux-Oz.It looks like the router between the primary and secondary DNS
servers is performing NAT on the packets it is forwarding between those
subnets?It would make your life much simpler if you can turn that off? I.e only
NAT packets going out to the Internet/your ISP?Nick.
Original message From: Ondřej Surý Date:
31/07/23 8:10 PM (GMT+12:00) To: matt...@peregrineit.net Cc:
bind-users@lists.isc.org Subject: Re: Zone Transfers Being Refused Well, for
starters your primaries list 192.168.2.10, but your logs show connection from
192.168.1.1…--Ondřej Surý — ISC (He/Him)My working hours and your working hours
may be different. Please do not feel obligated to reply outside your normal
working hours.> On 31. 7. 2023, at 9:51, duluxoz wrote:> >
Hi Ondřej,> > Sorry, force of habit (re: "example.com").> > External Secondary
DNS Server (ns1.mjb-co.com):> > ~~~> > acl "bogusnets" {>
!"internal_hosts";> 0.0.0.0/8;> 10.0.0.0/8;> 172.16.0.0/12;>
192.0.2.0/24;> 192.168.0.0/16;> 224.0.0.0/3;> };> acl "internal_hosts"
{> 192.168.1.0/24;> 192.168.2.0/24;> 192.168.3.0/24;> };> acl
"secondary_external_servers" {> 192.168.1.10/32;> };> acl
"secondary_internal_servers" {> 192.168.2.11/32;> 192.168.2.12/32;> };>
acl "ddns_servers" {> "localhost";> 192.168.2.10/32;>
192.168.2.11/32;> };> acl "rndc_servers" {> "localhost";>
192.168.2.10/32;> };> acl "stats_hosts" {> 192.168.2.0/24;> };> controls {>
inet 0.0.0.0 port 953 allow {> "rndc_servers";> } keys {>
"rndc-key";> };> };> logging {> channel "auth_servers_log" {>
file "/var/log/named/auth_servers.log" versions 3 size 20971520 suffix
timestamp;> severity info;> print-time yes;>
print-severity yes;> print-category yes;> };> channel
"client_security_log" {> file "/var/log/named/client_security.log"
versions 3 size 20971520 suffix timestamp;> severity info;>
print-time yes;> print-severity yes;> print-category yes;>
};> channel "default_log" {> file "/var/log/named/default.log"
versions 3 size 20971520 suffix timestamp;> severity info;>
print-time yes;> print-severity yes;> print-category yes;>
};> channel "default_debug_log" {> file
"/var/log/named/default_debug.log" versions 3 size 20971520 suffix timestamp;>
severity dynamic;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "ddns_log" {> file
"/var/log/named/ddns.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "dnssec_log" {> file
"/var/log/named/dnssec.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "dnstap_log" {> file
"/var/log/named/dnstap.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "queries_log" {> file
"/var/log/named/queries.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "query_errors_log" {> file
"/var/log/named/query_errors.log" versions 3 size 20971520 suffix timestamp;>
severity dynamic;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "rate_limiting_log" {>
file "/var/named/log/rate_limiting.log" versions 3 size 20971520 suffix
timestamp;> severity info;> print-time yes;>
print-severity yes;> print-category yes;> };> channel "rpz_log"
{> file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
timestamp;> severity info;> print-time yes;>
print-severity yes;> print-category yes;> };> channel
"zone_transfers_log" {> file "/var/log/named/zone_transfers.log"
versions 3 size 20971520 suffix timestamp;> severity info;>
print-time yes;> print-severity yes;> print-category yes;>
};> category "client" {> "client_security_log";>
"default_debug";> };> category "dnssec" {> "dnssec_log";>
"default_debug";> };> category "default" {>
"default_syslog";> "default_debug";> "default_log";> };>
category "delegation-only" {> "auth_servers_log";>
"default_debug";> };> category "edns-disabled" {>
"auth_servers_log";> "default_debug";> };> category
"lame
zone [ ]
I didn't find the format specification of in the documentation here https://bind9.readthedocs.io/en/latest/reference.html#zone-block-grammar Can it contain wildcard characters? Will it cause problems if I define hundreds of zones in the config file? I'm setting up a forwarding resolver and I want to forward DNS requests of specific domains to another DNS server instead of the default one, to avoid DNS polluting. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone [ ]
Hi, I'm fairly certain that the content of string is a valid DNS zone. So, whatever is allowed by RFC 1034 is allowed there. I'm not sure BIND will emit an error, however, as I don't think it enforces any domain label rules. The zone may not work, however, if it is incorrectly named. Thank you, Darren Ankney On Mon, Jul 31, 2023 at 11:53 AM Reese Wang wrote: > > I didn't find the format specification of in the documentation here > https://bind9.readthedocs.io/en/latest/reference.html#zone-block-grammar > > Can it contain wildcard characters? Will it cause problems if I define > hundreds of zones in the config file? > > I'm setting up a forwarding resolver and I want to forward DNS > requests of specific domains to another DNS server instead of the > default one, to avoid DNS polluting. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
