On Mon, Jan 6, 2020 at 3:16 PM MEjaz <me...@cyberia.net.sa> wrote: > 1. My primary name server, /etc/named.conf, and here am forcing transfer > to only few trusted servers, as mentioned in the below clause. > transfers-out 2000; > allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};
> 2. secondary/slave name server > allow-transfer {"none";}; > I can't run this dig command from both dns server " dig soa kalam.com.sa > @ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data, Ok. So you ran this on ns2, right? > Just now again I noticed at 11:03 GMT+3, secondary server attempt to fetch > the data from master but no luck. same error as denied. No, that might not be it. > Jan 6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from > 212.119.92.5#37487: zone is up to date > Jan 6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from > 212.119.92.5#52519: serial 2019434249 > Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied > Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied > Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started. > Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial > 2019434249 > Jan 6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied You're pasting the logs on ns2. While that helps, we also need the logs on ns1. What does it say? "denied" on ns2 is expected, since you have 'allow-transfer {"none";};' on ns2. The question is "why does your ns2 ask ns2 (itself), when it should've asked only ns1 (the master)". Did you perhaps set named.conf (or named.conf.local, depending on the distro) on the ns2 incorrectly? Something like zone "kalam.com.sa" { type slave; ... masters { 212.119.92.5; }; }; How many IPs, and what IPs, did you put on the masters there? It should only be ns1 (the master). If you put two, change it. ... then there's also the question of "why does 212.119.92.5 (ns1) ask ns2 for zone transfer (which caused one of the denied lines), when the master shouldn't even need to ask anyone. Not sure about this one though. > Do you advise simulate the setup on testing environment. Without the firewall. In this case, only if you've setup named.conf correctly. -- Fajar _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users