Hi Dulux-Oz.It looks like the router between the primary and secondary DNS
servers is performing NAT on the packets it is forwarding between those
subnets?It would make your life much simpler if you can turn that off? I.e only
NAT packets going out to the Internet/your ISP?Nick.
-------- Original message --------From: Ondřej Surý <ond...@isc.org> Date:
31/07/23 8:10 PM (GMT+12:00) To: matt...@peregrineit.net Cc:
bind-users@lists.isc.org Subject: Re: Zone Transfers Being Refused Well, for
starters your primaries list 192.168.2.10, but your logs show connection from
192.168.1.1…--Ondřej Surý — ISC (He/Him)My working hours and your working hours
may be different. Please do not feel obligated to reply outside your normal
working hours.> On 31. 7. 2023, at 9:51, duluxoz <dulu...@gmail.com> wrote:> >
Hi Ondřej,> > Sorry, force of habit (re: "example.com").> > External Secondary
DNS Server (ns1.mjb-co.com):> > ~~~> > acl "bogusnets" {>
!"internal_hosts";> 0.0.0.0/8;> 10.0.0.0/8;> 172.16.0.0/12;>
192.0.2.0/24;> 192.168.0.0/16;> 224.0.0.0/3;> };> acl "internal_hosts"
{> 192.168.1.0/24;> 192.168.2.0/24;> 192.168.3.0/24;> };> acl
"secondary_external_servers" {> 192.168.1.10/32;> };> acl
"secondary_internal_servers" {> 192.168.2.11/32;> 192.168.2.12/32;> };>
acl "ddns_servers" {> "localhost";> 192.168.2.10/32;>
192.168.2.11/32;> };> acl "rndc_servers" {> "localhost";>
192.168.2.10/32;> };> acl "stats_hosts" {> 192.168.2.0/24;> };> controls {>
inet 0.0.0.0 port 953 allow {> "rndc_servers";> } keys {>
"rndc-key";> };> };> logging {> channel "auth_servers_log" {>
file "/var/log/named/auth_servers.log" versions 3 size 20971520 suffix
timestamp;> severity info;> print-time yes;>
print-severity yes;> print-category yes;> };> channel
"client_security_log" {> file "/var/log/named/client_security.log"
versions 3 size 20971520 suffix timestamp;> severity info;>
print-time yes;> print-severity yes;> print-category yes;>
};> channel "default_log" {> file "/var/log/named/default.log"
versions 3 size 20971520 suffix timestamp;> severity info;>
print-time yes;> print-severity yes;> print-category yes;>
};> channel "default_debug_log" {> file
"/var/log/named/default_debug.log" versions 3 size 20971520 suffix timestamp;>
severity dynamic;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "ddns_log" {> file
"/var/log/named/ddns.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "dnssec_log" {> file
"/var/log/named/dnssec.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "dnstap_log" {> file
"/var/log/named/dnstap.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "queries_log" {> file
"/var/log/named/queries.log" versions 3 size 20971520 suffix timestamp;>
severity info;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "query_errors_log" {> file
"/var/log/named/query_errors.log" versions 3 size 20971520 suffix timestamp;>
severity dynamic;> print-time yes;> print-severity yes;>
print-category yes;> };> channel "rate_limiting_log" {>
file "/var/named/log/rate_limiting.log" versions 3 size 20971520 suffix
timestamp;> severity info;> print-time yes;>
print-severity yes;> print-category yes;> };> channel "rpz_log"
{> file "/var/named/log/rpz.log" versions 3 size 20971520 suffix
timestamp;> severity info;> print-time yes;>
print-severity yes;> print-category yes;> };> channel
"zone_transfers_log" {> file "/var/log/named/zone_transfers.log"
versions 3 size 20971520 suffix timestamp;> severity info;>
print-time yes;> print-severity yes;> print-category yes;>
};> category "client" {> "client_security_log";>
"default_debug";> };> category "dnssec" {> "dnssec_log";>
"default_debug";> };> category "default" {>
"default_syslog";> "default_debug";> "default_log";> };>
category "delegation-only" {> "auth_servers_log";>
"default_debug";> };> category "edns-disabled" {>
"auth_servers_log";> "default_debug";> };> category
"lame-servers" {> "auth_servers_log";> "default_debug";>
};> category "notify" {> "zone_transfers_log";>
"default_debug";> };> category "resolver" {>
"auth_servers_log";> "default_debug";> };> category "security"
{> "client_security_log";> "default_debug";> };>
category "update" {> "ddns_log";> "default_debug";> };>
category "update-security" {> "ddns_log";> "default_debug";>
};> category "xfer-in" {> "zone_transfers_log";>
"default_debug";> };> category "xfer-out" {>
"zone_transfers_log";> "default_debug";> };> };> options {>
blackhole {> "bogusnets";> };> directory "/var/named";>
dump-file "/var/named/data/cache_dump.db";> flush-zones-on-shutdown yes;>
managed-keys-directory "/var/named/dynamic";> memstatistics yes;>
memstatistics-file "/var/named/data/named_mem_stats.txt";> pid-file
"/run/named/named.pid";> session-keyfile "/run/named/session.key";>
statistics-file "/var/named/data/named_stats.txt";> version "Not Currently
Available";> disable-algorithms "." {> "RSAMD5";>
"RSASHA1";> "NSEC3RSASHA1";> "DSA";> };>
disable-ds-digests "." {> "SHA-1";> "GOST";> };>
recursion no;> allow-query {> "any";> };> allow-transfer {>
"none";> };> multi-master no;> zone-statistics yes;> };>
primaries "primary_servers" {> 192.168.2.10;> };> statistics-channels {>
inet 0.0.0.0 port 60443 allow {> "stats_hosts";> };> };> key
"ddns-key" {> algorithm "hmac-sha512";> secret
"????????????????????????????????????????????????????????????????????????????????????????";>
};> key "rndc-key" {> algorithm "hmac-sha512";> secret
"????????????????????????????????????????????????????????????????????????????????????????";>
};> server 192.168.1.10/32 {> keys "ddns-key";> };> server 192.168.1.20/32
{> keys "ddns-key";> };> server 192.168.2.10/32 {> keys "ddns-key";>
};> server 192.168.2.11/32 {> keys "ddns-key";> };> server 192.168.2.12/32
{> keys "ddns-key";> };> zone "190.115.103.IN-ADDR.ARPA." in {> type
secondary;> file "slaves/cached.103.115.190.rev.zone";> primaries {>
"primary_servers";> };> };> zone "mjb-co.com" in {> type
secondary;> file "secondaries/cached.mjb-co.com.zone";> primaries {>
"primary_servers";> };> };> ~~~> >> On 31/07/2023 17:29, Ondřej Surý
wrote:>> Hi,>> >> it’s hard to help you if you don’t provide your configuration
(named-checkconf -px) and use example.com instead of real domain names. Are
even the IP addresses real?>> >> Ondřej>> -->> Ondřej Surý — ISC (He/Him)>> >>
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.>> >>>> On 31. 7. 2023, at
9:23, duluxoz <dulu...@gmail.com> wrote:>>> >>> Hi All,>>> >>> Hoping someone
can help with this: I've got a primary dns server on an internal network
(192.168.2.10/24) and an external secondary dns server on the dmz network
(192.168.1.10/24). The gateway for each (ie the router) is 192.168.x.1.>>> >>>
The external domain is dynamic, with dnssec set up, and everything *seems* to
be working correctly.>>> >>> So I did a rndc to update a record in the external
zone on the primary. The primary's logs show that the update went through and
that a zone transfer notification was sent out to the external secondary. I can
also see the updated record in the (raw) zone file on the primary.>>> >>> The
external secondary's logs show that it received the zone update notification,
BUT that it was coming from the gateway's IP and not the primary server, and
thus because the gateway's IP was not in the "primaries" ACL it was/is being
refused.>>> >>> I don't know if its relevant but the external zone has the
`dnssec-policy default` option set.>>> >>> The (what I think are the relevant)
parts of the external secondary's logs are:>>> >>> ~~~>>> >>> 31-Jul-2023
16:23:14.182 notify: info: client @0x7ff49061ecc8 192.168.1.1#36875: received
notify for zone 'example.com'>>> >>> 31-Jul-2023 16:23:14.182 general: info:
zone example.com/IN: refused notify from non-master: 192.168.1.1#36875>>> >>>
~~~>>> >>> Can someone please point me in the correct direction to resolve this
issue? I can provide further info if required. I am reluctant to add the
gateway's IP to the "primaries" ACL because its also the external gateway for
the site, and I believe that adding the gateway's IP to the ACL will be a
(major) security issue.>>> >>> Thanks in advance>>> >>> Dulux-Oz>>> >>> -->>>
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list>>> >>> ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.>>> >>> >>> bind-users mailing list>>> bind-users@lists.isc.org>>>
https://lists.isc.org/mailman/listinfo/bind-users> -- Visit
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this
listISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.bind-users
mailing
listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users