DNS Question, how to allow BIND9 in webmin to allow secondary DNS zone transfer

  • keyvan
  • 07/16/09
  • Offline
Posted: Wed, 2010-03-03 06:56

Hi,

My domains 'name-servers' entry points to my webmin/virtualminpro box. I would like to assign a secondary name-server as most domain registers require two name-servers.

I set-up my ISP's name server as secondary. But it comes back with the following error message.

09:48:17 *** Warning: Failed to zone transfer domain.com from 123.123.123.123 (RCODE 5 Query Refused)

Which options in webmin/bind9 do I have to enable so webmin box will allow my isp's name server to become secondary name servers?

My DNS knowledge is limited :-(

Regards,

Keyvan


Howdy, First, you don't

  • andreychek
  • 01/05/09
  • Offline
  • Wed, 2010-03-03 14:36

Howdy,

First, you don't technically have to use two DNS servers, you could simply use two IP addresses on one server. While that does defeat the point of a redundant DNS setup, it would get you started :-)

As far as using your ISP's name server as a secondary goes -- that only works if your ISP is configured to allow such a thing. While perhaps a handful can do that, the vast majority aren't setup to do that.

-Eric


Hi Eric, So I made myself go

  • keyvan
  • 07/16/09
  • Offline
  • Thu, 2010-03-04 09:44

Hi Eric,

So I made myself go through a crash course in DNS.
This is what my named.conf.local looks like for the domain.

zone "example.com" {
        type master;
        file "/var/lib/bind/example.hosts";
        allow-transfer {
                127.0.0.1;
                localnets;
                123.117.237.123;
                123.177.237.124;
                };
        notify yes;
 
        also-notify {
                123.117.237.205;
                123.177.237.66;
                };
        };

My ISP does allow you to delegate its DNS server as a slave.
However it is only able to connect for one of its name-servers the second one gets rejected.

Mar  4 13:49:25 IS-10633 named[15696]: client 123.117.237.205#4629: transfer of 'sat-hd.com/IN': AXFR started
Mar  4 13:49:25 IS-10633 named[15696]: client 123.117.237.205#4629: transfer of 'sat-hd.com/IN': AXFR ended
Mar  4 13:49:40 IS-10633 named[15696]: client 123.117.237.66#3784: zone transfer 'sat-hd.com/AXFR/IN' denied

This is the error message from my ISP DNS server:

12:49:58 *** Warning: Failed to zone transfer example.com from 123.129.227.180 (RCODE 5 Query Refused) 

Also my log is filled with megabytes of 'denied access' in the daemon.log is this normal?

Mar  4 13:50:02 IS-10633 named[15696]: client 127.0.0.1#44063: query 'www.example.com/A/IN' denied
Mar  4 13:50:02 IS-10633 named[15696]: client 87.117.198.199#28181: query 'www.example.com/A/IN' denied
Mar  4 13:55:01 IS-10633 named[15696]: client 127.0.0.1#41088: query 'www.example.com/A/IN' denied
Mar  4 13:55:01 IS-10633 named[15696]: client 87.117.198.199#10926: query 'www.example.com/A/IN' denied
Mar  4 14:00:02 IS-10633 named[15696]: client 127.0.0.1#50249: query 'www.example.com/A/IN' denied

Notice how localhost is also denied is that normal?

Regards,

Keyvan


Did you resolve this?

  • danielj
  • 03/22/11
  • Offline
  • Tue, 2011-03-22 10:39

@keyvan, did you get this figured out? I am having the exact same problem with 1 server being denied and the other working. It's driving me crazy.

Thanks,

Daniel


All slave servers need to be

  • Locutus
  • 10/10/10
  • Offline
  • Thu, 2011-03-24 07:02

All slave servers need to be able to do zone transfers from the master. That is done via the allow-transfer directive in the zone options.

By default, Virtualmin enters any slave servers it knows about there... Either through the "DNS Cluster Server" feature, or through the template option BIND DNS Domain -> Additional manually configured nameservers.

Alternatively, you can use the option BIND DNS Domain -> Additional named.conf directives for new zones, which is a little more low-level.

In the end, Virtualmin needs to make these additions to the zone options, which you can verify in Webmin's BIND module:

also-notify {
    <slave-IP>;
  <slave-IP>;
  <slave-IP>;
  };
notify yes;
allow-transfer {
    127.0.0.1;
 localnets;
 <slave-IP>;
  <slave-IP>;
  };