[nsd-users] Zonetranfer_refused
Anand Buddhdev
anandb at ripe.net
Wed Aug 31 12:16:12 UTC 2022
On 31/08/2022 10:01, Oliver Niesner via nsd-users wrote:
Hi Oliver,
[snip]
> dns2-config ist the same except the listining address and the zone-part
>
> zone:
> name: "example.com"
> zonefile: "db.example"
> allow-notify: 45.xx.yy.194 at 5353 NOKEY
^^^^^
This is your problem with notifies. You're telling the dns2 server to
accept notifies only from the .194 address, and from a SOURCE port of
5353. However, the dns1 server, even though it is LISTENING for INCOMING
queries on port 5353, will send notify to the dns2 server from a RANDOM
source port.
You need to remove the @5353, so that notify any ANY source port on dns1
is accepted by NSD on dns2.
You can see the random source ports in the tcpdump, where dns1 has sent
notifies first from port 47272 and then from 36486.
It is a common misunderstanding that if a DNS server is LISTENING on
port X, that it will make OUTGOING connections (such as zone transfers
and notifies) using source port X. That isn't true. Outgoing DNS
messages have nothing to do with the listening address, and will use
random source ports, like any other outgoing connections from that server.
Regards,
Anand
More information about the nsd-users
mailing list