Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 5th March 2009, 16:44
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
Default DNS zones not transfered to slave server anymore

I have a slave DNS server (BIND) which transfers zones from my ISPCONFIG3 server. Everything worked great until I updated to latest SVN, now the transfer of zones is refused:

53: failed while receiving responses: REFUSED


I checked all setting and logs...nothing....
Reply With Quote
Sponsored Links
  #2  
Old 5th March 2009, 19:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

There has nothing be changed in this part of ISPconfig 3 and I tested the zone transfers today, so there must have been something else updated or changed too.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 5th March 2009, 20:14
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
Default

Quote:
Originally Posted by till View Post
There has nothing be changed in this part of ISPconfig 3 and I tested the zone transfers today, so there must have been something else updated or changed too.
Tnx for your quick reply, good to know that it is not an ispconfig issue.

I have no idea what is causing this, no iptables rules, connectivity is fine, mydns.conf did not change, I google and googled nothing, did a trace to mydns....

Any ideas?
Reply With Quote
  #4  
Old 5th March 2009, 20:23
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Is the ip address for the xfer destination correct?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 5th March 2009, 20:47
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
Default

I think I know where the problem is, such a stupid thing...somehow BIND got installed and run on the same server where mydns is running....dammit this is a mystery

I stopped the BIND service, restarted mydns and still I have the same problem.
Reply With Quote
  #6  
Old 5th March 2009, 21:25
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
Default

I run mydns with verbose option

# mydns -d -v

this is what I get:

Code:
mydns[9564]: 05-Mar-2009 20:23:19+626218 #0 60278 UDP MY_IP IN SOA domain.com. NOERROR - 1 1 2 0 LOG N QUERY ""
mydns[9566]: 05-Mar-2009 20:23:19+630278 #1 15965 TCP MY_IP IN AXFR domain.com. REFUSED AXFR_disabled 0 0 0 0 LOG N QUERY ""
mydns.conf


Quote:
## AUTOMATICALLY GENERATED BY DEBCONF. DO NOT MODIFY DATABASE
## INFORMATION (database, db-*)...
## PLEASE RUN 'dpkg-reconfigure mydns-mysql' INSTEAD.
## CHANGES TO THE FOLLOWING DIRECTIVES ARE NOT PRESERVED, BUT REPLACED,
## ON UPGRADE:
## user, group, pidfile, db-*, database

##
## /etc/mydns.conf
## Thu Aug 2 16:36:26 2007
## For more information, see mydns.conf(5).
##


# DATABASE INFORMATION

db-host = localhost # SQL server hostname
db-user = ispconfig # SQL server username
db-password = 1111111111 # SQL server password
database = dbispconfig # MyDNS database name


# GENERAL OPTIONS

user = nobody # Run with the permissions of this user
group = nogroup # Run with the permissions of this group
listen = * # Listen on these addresses ('*' for all)
no-listen = # Do not listen on these addresses


# CACHE OPTIONS

zone-cache-size = 2048 # Maximum number of elements stored in the zone cache
zone-cache-expire = 60 # Number of seconds after which cached zones expires
reply-cache-size = 2048 # Maximum number of elements stored in the reply cache
reply-cache-expire = 30 # Number of seconds after which cached replies expire


# ESOTERICA

log = LOG_DAEMON # Facility to use for program output (LOG_*/stdout/stderr)
pidfile = /var/run/mydns.pid # Path to PID file
timeout = 120 # Number of seconds after which queries time out
multicpu = 1 # Number of CPUs installed on your system
recursive = # Location of recursive resolver
allow-axfr = yes # Should AXFR be enabled?
allow-tcp = yes # Should TCP be enabled?
allow-update = no # Should DNS UPDATE be enabled?
ignore-minimum = no # Ignore minimum TTL for zone?
soa-table = dns_soa # Name of table containing SOA records
rr-table = dns_rr # Name of table containing RR data
soa-where = server_id = 1 # Extra WHERE clause for SOA queries
rr-where = server_id = 1 # Extra WHERE clause for RR queries
use-soa-active = yes # To fix bug 295 where active or inactive status is ignored.
use-rr-active = yes# To fix bug 295 where active or inactive status is ignored.

from the mydns manual

Quote:
REFUSED
The query was refused due to server policy. This usually happens because
the client attempted to AXFR a zone that they were not allowed to transfer,
or because the client requested a name within a zone for which the server
is not authoritative.
11. If the previous field was anything but NOERROR, this is a human-readable reason why
the query failed, with any space characters in the string converted into underscore (‘_’)
characters. If the previous field was NOERROR, this field contains a dash (‘-’).
12. The number of resource records included in the question section of the reply.
13. The number of resource records included in the answer section of the reply.
14. The number of resource records included in the authority section of the reply.
15. The number of resource records included in the additional section of the reply.
16. The word LOG.
17. The character ‘Y’ if this was a cached reply, ‘N’ if it was not.
18. The opcode for this query – ‘QUERY’ or ‘UPDATE’.
19. If the previous field was ‘UPDATE’, this is a description of the update performed, enclosed
in quotation marks. For example, this field might contain ‘"test-a.example.com.
3600 IN A 0 1.2.3.4"’, indicating that for the zone specified, an A record was created
for test-a.example.com. with the value 1.2.3.4.

Last edited by grungy; 5th March 2009 at 22:42.
Reply With Quote
  #7  
Old 6th March 2009, 15:12
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
Default

any ideas? I am struggling here....
Reply With Quote
  #8  
Old 6th March 2009, 16:12
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
Default

I recompiled the mydns debian package, with debug option this is what I get:


Code:
mydns[5372]: IP_SLAVE_DNS: 000 : task_init(0x80ada80) from tcp.c:62
mydns[5372]: IP_SLAVE_DNS: 000 : enqueued (by task.c:293)
mydns[5372]: IP_SLAVE_DNS: TCP connection accepted
mydns[5372]: IP_SLAVE_DNS: 000 : starting task_process() with NEED_READ status
mydns[5372]: last message repeated 2 times
mydns[5372]: IP_SLAVE_DNS: 2+29 TCP octets in
mydns[5372]: new_task(0x80ada80, 0x807de18, 29)
mydns[5372]: IP_SLAVE_DNS: 000 : id=41391 qr=0 opcode=QUERY aa=0 tc=0 rd=0 ra=0 z=0 rcode=0
mydns[5372]: IP_SLAVE_DNS: 000 : qd=1 an=0 ns=0 ar=0
mydns[5372]: remembering name "domain.com." at offset 12
mydns[5372]: remembering name "com." at offset 20
mydns[5372]: AXFR: process started on pid 5568 for TCP fd 9, task ID 5
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: Starting AXFR for task ID 5
mydns[5568]: AXFR: domain.com.: SOA record 10
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: Beginning zone transfer
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: dnserror(): REFUSED AXFR_disabled from axfr.c:204
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     id = 41391
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     qr = 1 (message is a response)
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply: opcode = 0 (QUERY)
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     aa = 0 (answer not authoritative)
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     tc = 0 (message not truncated)
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     rd = 0 (no recursion)
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:     ra = 0 (recursion unavailable)
mydns[5568]: IP_SLAVE_DNS: AXFR domain.com.: reply:  rcode = 5 (REFUSED)
mydns[5568]: 06-Mar-2009 15:07:17+581455 #5 41391 TCP IP_SLAVE_DNS IN AXFR domain.com. REFUSED AXFR_disabled 0 0 0 0 LOG N QUERY ""
mydns[5372]: child pid 5568 exited successfully
mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: starting task_process() with NEED_READ status
mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: dequeued (by task.c:474)
mydns[5372]: IP_SLAVE_DNS: AXFR domain.com.: task_free(0x80ada80) from queue.c:119

this is the function from axfr.c


Code:
/**************************************************************************************************
	CHECK_XFER
	If the "xfer" column exists in the soa table, it should contain a list of wildcards separated
	by commas.  In order for this zone transfer to continue, one of the wildcards must match
	the client's IP address.
**************************************************************************************************/
static void
check_xfer(TASK *t, MYDNS_SOA *soa)
{
	SQL_RES	*res = NULL;
	SQL_ROW	row;
	char		ip[256];
	char		query[512];
	size_t	querylen;
	int		ok = 0;

	if (!mydns_soa_use_xfer)
		return;

	strncpy(ip, clientaddr(t), sizeof(ip)-1);

	querylen = snprintf(query, sizeof(query), "SELECT xfer FROM %s WHERE id=%u%s",
		mydns_soa_table_name, soa->id, mydns_rr_use_active ? " AND active=1" : "");

	if (!(res = sql_query(sql, query, querylen)))
		ErrSQL(sql, "%s: %s", desctask(t), _("error loading zone transfer access rules"));

	if ((row = sql_getrow(res)))
	{
		char *wild, *r;

#if DEBUG_ENABLED && DEBUG_AXFR
		Debug("%s: checking AXFR access rule '%s'", desctask(t), row[0]);
#endif
		for (r = row[0]; !ok && (wild = strsep(&r, ",")); )
		{
			if (strchr(wild, '/'))
			{
				if (t->family == AF_INET)
					ok = in_cidr(wild, t->addr4.sin_addr);
			}
			else if (wildcard_match(wild, ip))
				ok = 1;
		}
	}
	sql_free(res);

	if (!ok)
	{
		dnserror(t, DNS_RCODE_REFUSED, ERR_NO_AXFR);
		axfr_reply(t);
		axfr_error(t, _("access denied"));
	}
}
/*--- check_xfer() ------------------------------------------------------------------------------*/

Last edited by grungy; 7th March 2009 at 15:06.
Reply With Quote
  #9  
Old 7th March 2009, 09:43
Antennipasi Antennipasi is offline
ISPConfig Developer
 
Join Date: Dec 2008
Location: Finland
Posts: 67
Thanks: 6
Thanked 13 Times in 12 Posts
Default

Quote:
Originally Posted by grungy View Post
I have a slave DNS server (BIND) which transfers zones from my ISPCONFIG3 server.
try to disable incremental transfers from slave. modify slave-BIND's configuration to ask always full zone from Ispconfig:

Code:
server IP_MASTER_DNS {
        provide-ixfr no ;
        request-ixfr no ;
};
this is how i got my BIND's to act as a slave to Ispconfig while transition to mydns replication.
Reply With Quote
  #10  
Old 7th March 2009, 10:53
grungy grungy is offline
Senior Member
 
Join Date: Dec 2008
Posts: 146
Thanks: 12
Thanked 9 Times in 6 Posts
 
Default

Antennipasi, tnx for your reply but this didn't help

Do you have any other ideas?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MyDNS as slave DNS server? lano General 6 10th September 2009 07:08
offsite DNS (master and slave) solution jorizzzz Tips/Tricks/Mods 1 9th March 2009 16:04
Slave dns problem blackmask Installation/Configuration 1 3rd October 2007 13:51
SuSE as master DNS server and Centos as slave DNS server... sthompson Server Operation 3 17th September 2006 13:24
Webmail Relay Error palkat General 17 23rd April 2006 18:12


All times are GMT +2. The time now is 09:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.