Problem with slave DNS

Discussion in 'Installation/Configuration' started by DarkBen, Jan 3, 2006.

  1. DarkBen

    DarkBen New Member

    I have an ISPConfig perfect setup on Debian 3.1 and i have a problem with slave DNS. When i create a slave zone on my ISPCONFIG, i have this error in my syslog file :

    Code:
    Jan  3 18:19:15 jedi named[15319]: transfer of 'domain.org/IN' from 195 ... ... ...#53: failed while receiving responses: REFUSED
    Jan  3 18:19:15 jedi named[15319]: transfer of 'domain.org/IN' from 195 ... ... ...#53: end of transfer
    
    My named.conf seems to be good but the zone file isn't created. It seems to be a problem with a chmod on a directory...?

    /var/lib/named = 755 root:root

    /var/lib/named/etc = 755 root:root

    /var/lib/named/etc/bind = 755 bind:bind


    On my primary DNS server i have this in my named.conf :

    Code:
    zone "domain.org" {
             type master;
             file "domain.zone";
             allow-transfer {195 ... ... ...; };
    };
    
    My primary DNS server is not an IPSconfig server.

    Could you help me please ?

    Thanks for your great work ;)
     
  2. falko

    falko Super Moderator

    The IP address in allow-transfer must be the IP address of the secondary DNS server. Also make sure that the firewall doesn't block port 53 (TCP and UDP)!
     
  3. DarkBen

    DarkBen New Member

    Thanks for your help Falko, but my firewall is off and ip address on my primary server is ip of my ISPconfig server (slave)... If you have another idea i take it ;)

    This is in my named.conf on my secondary DNS (ISPConfig)

    Code:
    zone "domain.org" {
             type slave;
             file "sec.domain.org";
             masters { ip of my primary DNS };
    };
    In fact the file "sec.domain.org" isn't created...
     
    Last edited: Jan 4, 2006
  4. till

    till Super Moderator

    The domain sec.domain.org is created as master record on the primary DNS server?
    The firewall on the primary SNS allows zone transfers?
    Maybe you have disabld zone transfers on the primary DNS server?
     
  5. falko

    falko Super Moderator

    I found this on http://www.isc.org/index.pl?/sw/bind/FAQ.php:

     
  6. DarkBen

    DarkBen New Member

    I think it is a permission problem because all my aothers secondary DNS are ok.
    On my ISPConfig i have this when i do a

    Code:
    ps aux | grep named
    Code:
    bind     21799  0.0  0.2 29404 2656 ?        Ss   11:42   0:00 /usr/sbin/named -u bind -t /var/lib/named
    
    What are the good permissions for my directory /var/lib/named ?

    Where should be created sec... files ?

    When i restart my primary DNS i have this in my syslog :

    Code:
    Jan  4 12:06:30 xplora named[711]: client 195... ... ... #48283: zone transfer 'domain.org/IN' denied
    Jan  4 12:06:30 xplora named[16155]: received notify for zone 'another_domain.net'
    Jan  4 12:06:30 xplora named[16155]: received notify for zone 'another_domain.org'
    It seems to be ok for others secondary DNS...
     
    Last edited: Jan 4, 2006
  7. falko

    falko Super Moderator

    Please post the output of
    Code:
    ls -la /var/lib/named
    Looks like your primary DNS is blocking the transfer which means it isn't a permissions problem on your secondary...
     
  8. DarkBen

    DarkBen New Member

    ok thanks Falko

    Code:
    ls -la /var/lib/named
    Code:
    drwxrwxr-x   5 root root 4096 2005-11-25 00:00 .
    drwxr-xr-x  23 root root 4096 2005-11-25 14:48 ..
    drwxrwxr-x   2 root root 4096 2005-11-24 18:35 dev
    drwxrwxr-x   3 root root 4096 2005-11-25 00:00 etc
    drwxrwxr-x   4 root root 4096 2005-11-25 00:00 var
    
    I search on my primary DNS but i don't find where is the problem :(
     
  9. falko

    falko Super Moderator

    This does look like a permissions problem! Is your Bind running as user named and group named? Then you should do this:
    Code:
    chown -R named:named /var/lib/named
    otherwise Bind does not have the permission to write to that directory.
     
  10. DarkBen

    DarkBen New Member

    Ok Falko but i haven't any named user on my ispconfig (perfect setup sarge 3.1) !!!

    when i do a ps aux :

    Code:
    ps aux | grep named
    i have this answer :

    Code:
    bind     15714  0.0  0.2 29408 2664 ?        Ss   09:45   0:00 /usr/sbin/named -u bind -t /var/lib/named
    
    Perhaps the solution is :

    Code:
    chown -R bind:bind /var/lib/named
    What do you think ?
     
  11. till

    till Super Moderator

    Yes, your named user is bind. Do the chown to the bind user.
     
  12. DarkBen

    DarkBen New Member

    I have this answer now :(

    Code:
    Jan  5 10:58:25 jedi named[20909]: transfer of 'domain.org/IN' from 195 ... ... ...#53: failed while receiving responses: SERVFAIL
     
  13. DarkBen

    DarkBen New Member

    A dig on my primary server :

    Code:
    dig @localhost domain.org
    Code:
    ; <<>> DiG 9.2.4 <<>> @localhost domain.org
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24453
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;domain.org.               IN      A
    
    ;; AUTHORITY SECTION:
    domain.org.        38400   IN      SOA     serveur.domain.com. root.domain.org. 2006010402 28800 14400 3600000 86400
    
    ;; Query time: 7 msec
    ;; SERVER: 127.0.0.1#53(localhost)
    ;; WHEN: Thu Jan  5 11:01:04 2006
    ;; MSG SIZE  rcvd: 93
    
    On my secondary (ISPConfig)

    Code:
    dig @localhost domain.org
    Code:
    ; <<>> DiG 9.2.4 <<>> @localhost domain.org
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51956
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;domain.org.               IN      A
    
    ;; Query time: 1 msec
    ;; SERVER: 127.0.0.1#53(localhost)
    ;; WHEN: Thu Jan  5 11:07:51 2006
    ;; MSG SIZE  rcvd: 33
    
    I think there is a problem with permissions but i dont know where :(
     
  14. falko

    falko Super Moderator

    Is your primary DNS the authoritative DNS for domain.org?
     
  15. DarkBen

    DarkBen New Member

    Yes it is the SOA...
     
  16. DarkBen

    DarkBen New Member

    This is ok !

    there was a problem with my primary DNS on allow-transfer and notify options.

    thanks for your help !
     

Share This Page