On Mon, Nov 21, 2016 at 7:02 PM, schilling <schilling2...@gmail.com> wrote:
> added both tcp and udp port 53, still seeing the log messages. > > Best, > > Shiling > > On Mon, Nov 21, 2016 at 5:45 PM, Anand Buddhdev <ana...@ripe.net> wrote: > >> On 22/11/2016 00:27, schilling wrote: >> >> > Thanks for the insight. >> > I added the following rule >> > sudo firewall-cmd --permanent --direct --get-all-rules >> > [sudo] password for admin: >> > ipv4 filter OUTPUT 0 -d 10.10.10.100 -p tcp -m tcp --dport=53 -j ACCEPT >> > where 10.10.10.100 is our DNS master, still receiving the error. >> >> Why have you only allowed TCP port 53? What about UDP port 53? BIND >> first sends a UDP query to the master for the zone's SOA record, to >> determine if it needs to transfer the zone or not. >> >> Regards, >> Anand >> > > I don't have a solution, but some debugging options: I would suggest running packet traces with the same steps, with and without the firewall, and compare the traces. Also, if possible, turn on logging in the firewall and see what is being blocked. You could also turn on BIND debugging - see the appendix of the "DNS and BIND" book for debugging help. -- Bob Harold
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
