DNS Notify

[Danny]

- I have a problem with the DNS server

I have 3 DNS server:

Primary: ns1.mydomain.com (ipserver1)
Secondary: ns2.mydomain.com (ipserver2)
Three: ns3.mydomain.com (ipserver3)

On primary DirectAdmin is installed and is set to notify and transfer the zone to the other two .. the problem is that the other two servers are trying to move the areas each other, the second attempt to send the first and third.

Obviously, the transfer will not work because the latter is not authorized by the primary ..

How is this possible since named.conf on the third there is no reference to the second and vice versa?


named.conf of ns1.mydomain.com

acl slaves { ipserver2; ipserver3; };
acl trusted { 151.1.233.0/24; };

options {
directory "/var/named";
listen-on { ipserver1; };
allow-transfer { slaves; };
allow-notify { slaves; };
allow-recursion { trusted; };
version "N/D";
};



controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";

zone "domain3.it" { type master; file "/var/named/domain3.it.db"; };
zone "domain2.info" { type master; file "/var/named/domain2.info.db"; };
zone "mydomain.com" { type master; file "/var/named/mydomain.com.db"; };
zone "domain1.org" { type master; file "/var/named/domain1.org.db"; };

named.conf of ns2.mydomain.com

acl trusted { 151.1.233.0/24; };

options {
directory "C:\Program Files (x86)\BIND\var";
listen-on { ipserver3; };
allow-transfer { ipserver1; };
also-notify { ipserver1; };
allow-notify { ipserver1; };
allow-recursion { trusted; };
version "N/D";
};


key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxxx";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "mydomain.com" in {
type slave;
file "mydomain.com.db";
masters { ipserver1; };
};

zone "domain3.it" in {
type slave;
file "domain3.it.db";
masters { ipserver1; };
};

zone "domain2.info" in {
type slave;
file "domain2.info.db";
masters { ipserver1; };
};

zone "domain1.org" in {
type slave;
file "domain1.org.db";
masters { ipserver1; };
};

named.conf ns3.mydomain.com

acl trusted { 151.1.233.0/24; };

options {
directory "C:\Program Files (x86)\BIND\var";
listen-on { ipserver2; };
allow-transfer { ipserver1; };
also-notify { ipserver1; };
allow-notify { ipserver1; };
allow-recursion { trusted; };
version "N/D";
};


key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxxx";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "mydomain.com" in {
type slave;
file "mydomain.com.db";
masters { ipserver1; };
};

zone "domain3.it" in {
type slave;
file "domain3.it.db";
masters { ipserver1; };
};

zone "domain2.info" in {
type slave;
file "domain2.info.db";
masters { ipserver1; };
};

zone "domain1.org" in {
type slave;
file "domain1.org.db";
masters { ipserver1; };
};

When I update a properly moved the primary zone to the other two ..

In the event log on the second server I find this error:

zone mydomain.com/IN: refused notify from non-master: ipserver3#41620


When I update a properly moved the primary zone to the other two ..

In the event log on the second server I find this error:

zone mydomain.com/IN: refused notify from non-master: ipserver2#41620

 

[nobaloney]

Slaves (ns2 and ns3) shouldn't be notifying other slaves or masters.

Jeff

 

[Danny]

But in the logs seems notify .. yet the configuration files appear ok right?

 

[nobaloney]

There's a link to a page in the DNS and Bind Cookbook which discusses the issue, here.

Jeff

 

[floyd]

Why did you delete your original question? Now nobody knows what this thread is about.

 

[Danny]

I deleted the message because it contained information that could induce my DNS server at risk. Updating the message by removing such information and refer the question

 

[Danny]

There's a link to a page in the DNS and Bind Cookbook which discusses the issue, here.

Jeff

I solved thanks jeff

 

[floyd]

You should probably read this. Obscuring or deleting your dns data does not make your server more secure.

 

[Danny]

no post contained the keys to the server bind

 

[floyd]

Delete the keys and leave the rest of the question intact.

The purpose of the forum is not to benefit only the person asking the question. The purpose is so that we all can benefit. By deleting your original question nobody else can benefit from this thread. That's a shame.

 

[Danny]

Shame? I said that I would put back the original post and I did