DNS zone transfer

Discussion in 'Installation/Configuration' started by binaryrogue, May 1, 2009.

  1. binaryrogue

    binaryrogue New Member

    I would like to allow zone transfer to a backup DNS server which is hosted by EditDNS. The IPSConfig box is currently now acting as the master and accepting DNS request from outside.

    What else do I need to do besides adding the IP's "slave domain" where it says:
    Allow zone transfers to these IPs (comma separated list) under the DNS tab for my zone?

    For some reason it's not working. Are there any logs that I can look to see if the request being made from EditDNS? Do I need to modify any config files?
     
    Last edited: May 1, 2009
  2. falko

    falko Super Moderator

    Can you post your /etc/mydns.conf file?
     
  3. binaryrogue

    binaryrogue New Member

    ## AUTOMATICALLY GENERATED BY DEBCONF. DO NOT MODIFY DATABASE
    ## INFORMATION (database, db-*)...
    ## PLEASE RUN 'dpkg-reconfigure mydns-mysql' INSTEAD.
    ## CHANGES TO THE FOLLOWING DIRECTIVES ARE NOT PRESERVED, BUT REPLACED,
    ## ON UPGRADE:
    ## user, group, pidfile, db-*, database

    ##
    ## /etc/mydns.conf
    ## Thu Aug 2 16:36:26 2007
    ## For more information, see mydns.conf(5).
    ##


    # DATABASE INFORMATION

    db-host = localhost # SQL server hostname
    db-user = ispconfig # SQL server username
    db-password = xxxx # SQL server password
    database = dbispconfig # MyDNS database name


    # GENERAL OPTIONS

    user = nobody # Run with the permissions of this user
    group = nogroup # Run with the permissions of this group
    listen = * # Listen on these addresses ('*' for all)
    no-listen = # Do not listen on these addresses


    # CACHE OPTIONS

    zone-cache-size = 2048 # Maximum number of elements stored in the zone cache
    zone-cache-expire = 60 # Number of seconds after which cached zones expires
    reply-cache-size = 2048 # Maximum number of elements stored in the reply cache
    reply-cache-expire = 30 # Number of seconds after which cached replies expire


    # ESOTERICA

    log = LOG_DAEMON # Facility to use for program output (LOG_*/stdout/stderr)
    pidfile = /var/run/mydns.pid # Path to PID file
    timeout = 120 # Number of seconds after which queries time out
    multicpu = 1 # Number of CPUs installed on your system
    recursive = 68.87.78.130 # Location of recursive resolver
    allow-axfr = yes # Should AXFR be enabled?
    allow-tcp = yes # Should TCP be enabled?
    allow-update = no # Should DNS UPDATE be enabled?
    ignore-minimum = no # Ignore minimum TTL for zone?
    soa-table = dns_soa # Name of table containing SOA records
    rr-table = dns_rr # Name of table containing RR data
    soa-where = server_id = 2 # Extra WHERE clause for SOA queries
    rr-where = server_id = 2 # Extra WHERE clause for RR queries
    use-soa-active = yes # To fix bug 295 where active or inactive status is ignored.
    use-rr-active = yes# To fix bug 295 where active or inactive status is ignored.
     
    Last edited by a moderator: May 4, 2009
  4. falko

    falko Super Moderator

    That looks ok.
    Please make sure that port 53 (TCP and UDP) is open in your firewall.
     
  5. binaryrogue

    binaryrogue New Member

    Those DNS ports are defenitley open from the firewall. It must be EditDNS issue then. Thanks.
     
  6. falko

    falko Super Moderator

    In the MyDNS database, you can specify the slave server IP that will be allowed to connect to the master. You can try to add the IP of the slave there.
     
  7. binaryrogue

    binaryrogue New Member

    I'm looking inside the dbispconfig database and can't figure where to input the slave IP's.
    *update - I see where it's located now which is under the dns_soa table. I do see the same IP's that I put in from the web interface.

    I just got a responds from EditDNS stating that my nameserver is refusing axfr (tcp 53) connections:
    These ports are open, else my websites would not be accessible. I also ran a port scanner from outside and port 53/tcp and udp are open.

    Question - Under the DNS zones, do I need to manually add EditDNS nameservers as well?
     
    Last edited: May 5, 2009
  8. binaryrogue

    binaryrogue New Member

    I also tried to run this command from the server itself and it's failing.

    Code:
    [root@ispconfig3 ~]# dig @10.0.0.7 mydomain.com axfr
    
    ; <<>> DiG 9.5.1-P2-RedHat-9.5.1-2.P2.fc10 <<>> @10.0.0.7 mydomain.com axfr
    ; (1 server found)
    ;; global options:  printcmd
    ; Transfer failed.
     
  9. till

    till Super Moderator

    The slave IP's have to be entered directly into the field "Allow zone transfers to
    these IPs (comma separated list)" in the ispconfig interface that is in the dns zone form. No need to edit anything in the database.
     
  10. binaryrogue

    binaryrogue New Member

    Are there any logs for me to look at to see what's going on? It's just not working..

    btw: I have two servers doing replication. The 2nd server acts only as my DNS.
     
  11. wxman

    wxman New Member

    I had a quick question about the /etc/mydns.conf file. Where it says:
    Code:
    multicpu = 1 # Number of CPUs installed on your system
    recursive = 68.87.78.130 # Location of recursive resolver
    if I have a dual core CPU should it say 2? Also is 'recursive' showing the name servers? I have dual core's and mine says '1', and there's nothing under the 'recursive' setting.
     
  12. falko

    falko Super Moderator

    If you want MyDNS to use both CPUs, then yes.

    If you want your MyDNS to resolve domains/hostnames for which it is not authoritative, then you need to put another nameserver under recursive (e.g. a nameserver of your ISP).
     
  13. wxman

    wxman New Member

    Thanks. Glad to know.
     
  14. binaryrogue

    binaryrogue New Member

    Is there a test I can run on the machine itself to see if it's working?
     
  15. falko

    falko Super Moderator

    Take a look at the logs on the slave (if you're on Debian/Ubuntu, it's /var/log/syslog). This will tell you if zone transfers are successful or not.
     
  16. binaryrogue

    binaryrogue New Member

    I'm in the process of asking them (EditDNS) for logs.

    They are just telling me that it's refusing axfr (tcp 53) connections:
    [root@ns2 ~]# dig @1.1.1.1 mydomain.com axfr

    ; <<>> DiG 9.3.4-P1 <<>> dig @1.1.1.1 mydomain.com axfr
    ; (1 server found)
    ;; global options: printcmd
    ; Transfer failed.

    --

    If I telnet to the ispconfig box from outside on port 53, it connects fine.

    [root@romain ~]# telnet mydomain.com 53
    Trying 1.1.1.1...
    Connected to mydomain.com (1.1.1.1).
    Escape character is '^]'.
     
  17. binaryrogue

    binaryrogue New Member

    Isn't this command suppose to verify that my dns server accepts axfr transfers? I added the IP of itself (10.0.0.7) to the Allow zone transfers to
    these IPs (comma separated list) as well.


    Code:
    [root@ispconfig3 ~]# dig @10.0.0.7 mydomain.com axfr
    
    ; <<>> DiG 9.5.1-P2-RedHat-9.5.1-2.P2.fc10 <<>> @10.0.0.7 mydomain.com axfr
    ; (1 server found)
    ;; global options:  printcmd
    ; Transfer failed.
     
  18. tio289

    tio289 Member

    try to add only your public IP and run

    Code:
    dig axfr zone.sk @1.2.3.4
     
  19. binaryrogue

    binaryrogue New Member

    I added my public IP and same result.


    [root@ispc2 ~]# dig axfr zone.sk @1.2.3.4

    ; <<>> DiG 9.5.1-P2-RedHat-9.5.1-2.P2.fc10 <<>> axfr zone.sk @1.2.3.4
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached
     
  20. tio289

    tio289 Member

    yeah:-D

    you change zone.sk to your zone name and 1.2.3.4 change to you server IP it is example only

    if you have GTalk I can help you. (my Gtalk is feldsam@gmail.com)
     

Share This Page