Re: strange queries in my DNS
On 21/04/2011 19:54, Victor Hugo dos Santos wrote: > Hello masters. > > the last week I had a strange queries logged in my DNS. In this > momment I only block the IP (77.204.11.139) source and forguet of this > theme. > > but, today.. I have the same query registered in my logs and from > other source (208.100.46.116). > > == > 21-Apr-2011 15:20:16.081 queries: info: client 208.100.46.116#1552: > view externo: query: . ANY RESERVED0 + > 21-Apr-2011 15:20:16.143 queries: info: client 208.100.46.116#6674: > view externo: query: . ANY RESERVED0 + > 21-Apr-2011 15:20:16.205 queries: info: client 208.100.46.116#21602: > view externo: query: . ANY RESERVED0 + > 21-Apr-2011 15:20:16.269 queries: info: client 208.100.46.116#55331: > view externo: query: . ANY RESERVED0 + > == > > > now, I have the new IP blocked, but if I unblock it.. the server show > a 20/30 queries by second from this IP !!! > This is an attempt to use your DNS servers as a traffic amplifier in a DoS attack. By sending a spoofed query for the root '.' the attackers cause your DNSes to send kilobytes of the root zone to the target IP (208.100.46.116 and 77.204.11.139 are the victims here, not the perpetrators). Do that against enough other DNS servers simultaneously and it will flood the target host. There are several variations on this -- see http://meetings.ripe.net/ripe-52/presentations/ripe52-plenary-dnsamp.pdf The best answer to this sort of thing is for network providers to filter obviously spoofed traffic at their interchange points, but that is (presumably) outside your control. You can mitigate the problem by caareful use of the 'allow-query', 'allow-query-cache' and 'additional-from-cache' directives in your BIND configuration so you only answer recursive queries for your trusted networks. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: the valid content of TXT RR
On 04/22/11 04:49, Doug wrote: > 2011/4/21 Mark Andrews : >> >> In message , Doug writes: >>> Hello, >>> >>> what characters can or can't be included in a TXT record for DNS? >>> >>> Thanks. >> >> Named supports 8 bit data using the same presentation encoding as domain >> names. >> > > > Thanks mark. > But I meant what text string is permitted or not permitted in a TXT record. There are no specific constraints on TXT record. It's free form text, so you can specify 'blalasurawer vwa3ku4rygwli avwiruy' as well as 'do not use' or spf syntax or anything. Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: the valid content of TXT RR
2011/4/21 Mark Andrews : > > In message , Doug writes: >> Hello, >> >> what characters can or can't be included in a TXT record for DNS? >> >> Thanks. > > Named supports 8 bit data using the same presentation encoding as domain > names. > Thanks mark. But I meant what text string is permitted or not permitted in a TXT record. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC signing issues
I am running BIND 9.4.2-P2 on OpenBSD v4.8 I have created the ZSK and KSK and added the keys to my zonefile "mydomain.hosts" using the "cat" command to append to the end of the host file. When attempting to use the following command "dnssec-signzone -N INCREMENT mydomain.hosts" I get the following error: dnssec-signzone: error: dns_master_load: mydomain.hosts:15: mydomain.com: not at top of zone dnssec-signzone: failed loading zone from ' mydomain.hosts': not at top of zone I own this domain and the DNS servers associated with them. Line 15 referenced in the above error is an MX record within the host file. I am unsure how to debug this error. Any help would be appreciated. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrate domains to different DNS servers
On 04/20/2011 00:25, listus...@gmail.com wrote: Hello all, We have a couple of BIND 8 DNS servers that we want to decommission, obviously we need to migrate the domains to other DNS servers first, which ordinarily involves zone transfer and domain re-delegation. Redelegation, yes. I'm not sure why you think zone transfer is required though, since you could conceivably just transfer the zone and configuration files. However, we do not have control over a lot of the domains (think hundreds) on the BIND 8 servers, meaning we cannot re-delegate. A desperate measure (if you want to call it) is to transfer the zones to the new DNS infrastructure then change the A record of the old DNS to use the IP address of the new DNS. Effectively the old DNS becomes an alias of the new DNS. Um, what you're saying here doesn't really make sense, nor did your (obfuscated) example. If you are dealing with domains that you cannot redelegate your options are extremely limited. You need to keep the hostnames that the zones are delegated to alive, since (in an ideal world) the delegations are to hostnames. Assuming that there are no glue records that point to the old IP addresses, what you _should_ be able to do, assuming that you control the domain(s) that the name server records are in is to change the IP addresses to those of the new name servers. If that doesn't work what you may have to do is to add the old IP addresses as aliases on the new systems, and make sure that named is listening on those IP addresses too. So your steps should be: * Reduce the TTL on the NS record hostnames to, say, 6 hours or so, then wait at least as long as the old TTL before proceeding past the next step * Get all of the zones on the old servers active on the new ones (likely by copying the zone files, and the relevant configuration) * Once the old TTL has expired, update the host names that the NS records are pointed to now to the IP addresses of the new name servers * Check to make sure that all of the domains are working, at least once after you make the change, once again 6 hours later, again 6 hours after that, and again about 3 days after you made the change. * Update the TTL of the NS record hostnames to match what the parent has, which is usually 2 days (172800 seconds) * If desired, redelegate the domains you have control over to the new name server hostnames. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic update to the wrong DNS zone file - Bind View - dhcp-client-identifier - multiple network cards with multiple differents subnets
On 4/21/2011 10:17 AM, Flex Banana wrote:
hello list,
I use dhcpd-4.2.1 with bind-9.7.3 on a SuSE system.
I have 3 network cards with under 700 differents subnets declared in the
dhcpd.conf.
eth0 = 10.1.1.50
eth1 = 172.16.1.50
eth2 = 192.168.1.50
We use Dynamic DNS update with the dhcp-client-identifier option to set
settings to my different clients.
We also use Bind View to differentiate all differents zones with differents
subnets (we have almost 90 zones)
This is a part of our dhcpd.conf file:
if substring (lcase (option dhcp-client-identifier), 1, 9) = "marketing"
{
option domain-name "marketing.example.com";
option domain-search "marketing.example.com";
zone marketing.example.com. { primary 10.1.1.50; key
OUR_KEY; }
}
elsif substring (lcase (option dhcp-client-identifier), 1, 6) = "design"
{
option domain-name "design.example.com";
option domain-search "design.example.com";
zone design.example.com. { primary 10.1.1.50; key
OUR_KEY; }
}
else
{
option domain-search "publisher.example.com";
}
Another part of dhcpd.conf with subnet declarations:
subnet 10.1.1.0 netmask 255.255.255.0
{
option routers 10.1.1.1;
range 10.1.1.20 10.1.1.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 10.1.1.50;
zone 1.1.10.in-addr.arpa. { primary 10.1.1.50; key
OUR_KEY; }
}
subnet 172.16.1.0 netmask 255.255.255.0
{
option routers 172.16.1.1;
range 172.16.1.20 172.16.1.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 172.16.1.50;
zone 1.16.172.in-addr.arpa. { primary 172.16.1.50; key
OUR_KEY; }
}
subnet 192.168.1.0 netmask 255.255.255.0
{
option routers 192.168.1.1;
range 192.168.1.20 192.168.1.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.1.50;
zone 1.168.192.in-addr.arpa. { primary 192.168.1.50;
key OUR_KEY; }
}
This is a part of the named.conf file:
view "10.1" {
match-destinations { 10.1.1.50; };
match-clients { 10.1.1.0/24; };
zone "marketing.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/marketing.exemple.com_10.1";
type master;
};
zone "design.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/design.example.com_10.1";
type master;
};
view "172.16" {
match-destinations { 172.16.1.50; };
match-clients { 172.16.1.0/24; };
zone "marketing.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/marketing.exemple.com_172.16";
type master;
};
zone "design.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/design.example.com_172.16";
type master;
};
view "192.168" {
match-destinations { 192.168.1.50; };
match-clients { 192.168.1.0/24; };
zone "marketing.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/marketing.exemple.com_192.168";
type master;
};
zone "design.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/design.example.com_192.168";
type master;
};
The problem is that when i use a client in the others subnets than 10.1.1.0/24, all
dynamics updates harent writed to the zone (marketing.example.com or design.example.com)
with the primary address of 10.1.1.50 and a message of "Forward map from
FAILED: Has an address record but no DHCID, not mine."
And when you read the forward zone (e. g with nano or cat) the A adress is
entered but from the wrong subnet.
Example for the file desing.example.com_10.1 (zone dedicated
laptop A 172.16.1.17 //
updated dynamically
strange queries in my DNS
Hello masters. the last week I had a strange queries logged in my DNS. In this momment I only block the IP (77.204.11.139) source and forguet of this theme. but, today.. I have the same query registered in my logs and from other source (208.100.46.116). == 21-Apr-2011 15:20:16.081 queries: info: client 208.100.46.116#1552: view externo: query: . ANY RESERVED0 + 21-Apr-2011 15:20:16.143 queries: info: client 208.100.46.116#6674: view externo: query: . ANY RESERVED0 + 21-Apr-2011 15:20:16.205 queries: info: client 208.100.46.116#21602: view externo: query: . ANY RESERVED0 + 21-Apr-2011 15:20:16.269 queries: info: client 208.100.46.116#55331: view externo: query: . ANY RESERVED0 + == now, I have the new IP blocked, but if I unblock it.. the server show a 20/30 queries by second from this IP !!! The configuration have 2 views, the recursion is disabled for outside and the version of bind is bind-9.3.6-16.P1.el5 the tcpdump content is: == victor@vhs-desk:~/scripts$ cat /tmp/dns2 No. TimeSourceDestination Protocol Info 63 3.897624208.100.46.11610.0.0.10 DNS Standard query Unused Frame 63 (63 bytes on wire, 63 bytes captured) Arrival Time: Apr 21, 2011 15:16:27.80527 [Time delta from previous captured frame: 0.06270 seconds] [Time delta from previous displayed frame: 0.06270 seconds] [Time since reference or first frame: 3.897624000 seconds] Frame Number: 63 Frame Length: 63 bytes Capture Length: 63 bytes [Frame is marked: False] [Protocols in frame: sll:ip:udp:dns] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 1 Link-layer address length: 6 Source: HewlettP_4d:a7:2e (00:18:71:4d:a7:2e) Protocol: IP (0x0800) Internet Protocol, Src: 208.100.46.116 (208.100.46.116), Dst: 10.0.0.10 (10.0.0.10) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 47 Identification: 0x4081 (16513) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 244 Protocol: UDP (0x11) Header checksum: 0x7d5a [correct] [Good: True] [Bad : False] Source: 208.100.46.116 (208.100.46.116) Destination: 10.0.0.10 (10.0.0.10) User Datagram Protocol, Src Port: 34062 (34062), Dst Port: domain (53) Source port: 34062 (34062) Destination port: domain (53) Length: 27 Checksum: 0x (none) Domain Name System (query) Transaction ID: 0x800e Flags: 0x0100 (Standard query) 0... = Response: Message is a query .000 0... = Opcode: Standard query (0) ..0. = Truncated: Message is not truncated ...1 = Recursion desired: Do query recursively .0.. = Z: reserved (0) ...0 = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries : type Unused, class ANY Name: Type: Unused (unused) Class: ANY (0x00ff) === so.. any idea ?? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: the valid content of TXT RR
In message , Doug writes: > Hello, > > what characters can or can't be included in a TXT record for DNS? > > Thanks. Named supports 8 bit data using the same presentation encoding as domain names. e.g. 0x00 is \000, 0xff is \255 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dynamic update to the wrong DNS zone file - Bind View - dhcp-client-identifier - multiple network cards with multiple differents subnets
hello list,
I use dhcpd-4.2.1 with bind-9.7.3 on a SuSE system.
I have 3 network cards with under 700 differents subnets declared in the
dhcpd.conf.
eth0 = 10.1.1.50
eth1 = 172.16.1.50
eth2 = 192.168.1.50
We use Dynamic DNS update with the dhcp-client-identifier option to set
settings to my different clients.
We also use Bind View to differentiate all differents zones with differents
subnets (we have almost 90 zones)
This is a part of our dhcpd.conf file:
if substring (lcase (option dhcp-client-identifier), 1, 9) = "marketing"
{
option domain-name "marketing.example.com";
option domain-search "marketing.example.com";
zone marketing.example.com. { primary 10.1.1.50; key
OUR_KEY; }
}
elsif substring (lcase (option dhcp-client-identifier), 1, 6) = "design"
{
option domain-name "design.example.com";
option domain-search "design.example.com";
zone design.example.com. { primary 10.1.1.50; key
OUR_KEY; }
}
else
{
option domain-search "publisher.example.com";
}
Another part of dhcpd.conf with subnet declarations:
subnet 10.1.1.0 netmask 255.255.255.0
{
option routers 10.1.1.1;
range 10.1.1.20 10.1.1.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 10.1.1.50;
zone 1.1.10.in-addr.arpa. { primary 10.1.1.50; key
OUR_KEY; }
}
subnet 172.16.1.0 netmask 255.255.255.0
{
option routers 172.16.1.1;
range 172.16.1.20 172.16.1.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 172.16.1.50;
zone 1.16.172.in-addr.arpa. { primary 172.16.1.50; key
OUR_KEY; }
}
subnet 192.168.1.0 netmask 255.255.255.0
{
option routers 192.168.1.1;
range 192.168.1.20 192.168.1.199;
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.1.50;
zone 1.168.192.in-addr.arpa. { primary 192.168.1.50;
key OUR_KEY; }
}
This is a part of the named.conf file:
view "10.1" {
match-destinations { 10.1.1.50; };
match-clients { 10.1.1.0/24; };
zone "marketing.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/marketing.exemple.com_10.1";
type master;
};
zone "design.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/design.example.com_10.1";
type master;
};
view "172.16" {
match-destinations { 172.16.1.50; };
match-clients { 172.16.1.0/24; };
zone "marketing.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/marketing.exemple.com_172.16";
type master;
};
zone "design.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/design.example.com_172.16";
type master;
};
view "192.168" {
match-destinations { 192.168.1.50; };
match-clients { 192.168.1.0/24; };
zone "marketing.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/marketing.exemple.com_192.168";
type master;
};
zone "design.example.com" in {
allow-update { key OUR_KEY; };
allow-transfer { none; };
file "dyn/design.example.com_192.168";
type master;
};
The problem is that when i use a client in the others subnets than 10.1.1.0/24,
all dynamics updates harent writed to the zone (marketing.example.com or
design.example.com) with the primary address of 10.1.1.50 and a message of
"Forward map from FAILED: Has an address record but no DHCID, not mine."
And when you read the forward zone (e. g with nano or cat) the A adress is
entered but from the wrong subnet.
Example for the file desing.example.com_10.1 (zone dedicated
laptop A 172.16.1.17 //
updated dynamically
The solution, i think, is to test the clie
Re: slave AXFR bind9
hugo hugoo wrote: > I use a server called "lenny" where the zone is idendified as slave. > I use a server called custmaster where the zone is master. You're hiding data from us, for example: > bind9testcarlos.be. 86400 IN NS ns.uat. > bind9testcarlos.be. 86400 IN NS ns2.uat. > ns.bind9testcarlos.be. 3600IN A 1.2.3.4 > ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 You've obfuscated the IP-addresses for ns.bind9testcarlos.be / ns2.bind9testcarlos.be - and you've done it in a way meaning I don't _really_ know if you've given them the same IP-address for real either. Here's what I _think_ might be happening, but which I can't really know since you hide the information I've asked for before (such as the configuration of your zone). Your master DNS will only send notifies to nameservers that handle the zone according to: - being mentioned with NS records in the zonefile (in your example, that would be ns.uat and ns2.uat) - nameservers mentioned with also-notify statement in your named.conf I'm guessing that your slave server isn't listed as with NS record in the zonefile, and isn't listed with also-notify either. Am I right? Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave AXFR bind9
My first thoughts on this: Has the slave received a notify from the master server? Does the slave accept the notify? What else is in the logs? Could you please also provide your named configuration (options and the zone statement) of both master and slave? Ciao Torsten Am Thu, 21 Apr 2011 06:55:13 + schrieb hugo hugoo : > > Dear all, > I am really lost with the working of my slave zone. > Here the situation/configuration. > > > I use a server called "lenny" where the zone is idendified as slave. > I use a server called custmaster where the zone is master. > > After a stop/start of the BIND9 in the Lenny server (slave zone), the slave > zone is never synchronised with the master zone. > In my test, the serial number in the master is greater than in the slave. > > > > lennydnstest01:~# dig @194.78.73.65 bind9testcarlos.be AXFR è what is on > the master zone (dig use the IP address of the master) > > ; <<>> DiG 9.6-ESV-R3 <<>> @194.78.73.65 bind9testcarlos.be AXFR > ; (1 server found) > ;; global options: +cmd > bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. > dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 > bind9testcarlos.be. 86400 IN NS ns.uat. > bind9testcarlos.be. 86400 IN NS ns2.uat. > ns.bind9testcarlos.be. 3600IN A 1.2.3.4 > ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 > sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.30 > cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 > bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. > dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 > ;; Query time: 5 msec > ;; SERVER: 194.78.73.65#53(194.78.73.65) > ;; WHEN: Wed Apr 20 14:03:20 2011 > ;; XFR size: 8 records (messages 1, bytes 250) > > dnscustmaster901:/etc/bind/zones/master# cat bind9testcarlos.be >==> master zone file > $TTL 3600;Positive Caching > bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. >( > 1999101725 ; Serial > 600 ; Refresh > 3600 ; Retry > 604800 ; Expire > 86400 ); Negative Caching > > bind9testcarlos.be. 86400 IN NS ns.uat. > bind9testcarlos.be. 86400 IN NS ns2.uat. > cs1.sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.4 > ns.bind9testcarlos.be. 3600IN A 1.2.3.4 > ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 > sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.30 > > > lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR è what is on the > slave zone > > ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR > ; (2 servers found) > ;; global options: +cmd > bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. > dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 > bind9testcarlos.be. 86400 IN NS ns.uat. > bind9testcarlos.be. 86400 IN NS ns2.uat. > ns.bind9testcarlos.be. 3600IN A 1.2.3.4 > ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 > sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.20 > cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 > bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. > dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 > ;; Query time: 3 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Wed Apr 20 14:03:21 2011 > ;; XFR size: 8 records (messages 1, bytes 250) > > > ennydnstest01:~# cat /etc/bind/zones/slave/bind9testcarlos.be==> slave > zone file > $ORIGIN . > $TTL 86400 ; 1 day > bind9testcarlos.be IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( > 1999101723 ; serial > 600; refresh (10 minutes) > 3600 ; retry (1 hour) > 604800 ; expire (1 week) > 86400 ; minimum (1 day) > ) > NS ns.uat. > NS ns2.uat. > $ORIGIN bind9testcarlos.be. > $TTL 3600 ; 1 hour > ns A 1.2.3.4 > ns2 A 1.2.3.4 > sgtest1 A 1.2.3.20 > $ORIGIN sgtest1.bind9testcarlos.be. > cs1 A 1.2.3.4 > > > > > After a reload zonefile (not working with "rndc reload") ==> AXFR is done! > > lennydnstest01:~# rndc reload bind9testcarlos.be > zone refresh queued > lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR > > ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR > ; (2 servers found) > ;; global options: +cmd > bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. > dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 > bind9testcarlos.be. 86400 IN NS ns.uat. > bind9testcarlos.be. 8
slave AXFR bind9
Dear all, I am really lost with the working of my slave zone. Here the situation/configuration. I use a server called "lenny" where the zone is idendified as slave. I use a server called custmaster where the zone is master. After a stop/start of the BIND9 in the Lenny server (slave zone), the slave zone is never synchronised with the master zone. In my test, the serial number in the master is greater than in the slave. lennydnstest01:~# dig @194.78.73.65 bind9testcarlos.be AXFR è what is on the master zone (dig use the IP address of the master) ; <<>> DiG 9.6-ESV-R3 <<>> @194.78.73.65 bind9testcarlos.be AXFR ; (1 server found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.30 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 ;; Query time: 5 msec ;; SERVER: 194.78.73.65#53(194.78.73.65) ;; WHEN: Wed Apr 20 14:03:20 2011 ;; XFR size: 8 records (messages 1, bytes 250) dnscustmaster901:/etc/bind/zones/master# cat bind9testcarlos.be ==> master zone file $TTL 3600;Positive Caching bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101725 ; Serial 600 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ); Negative Caching bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. cs1.sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.4 ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.30 lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR è what is on the slave zone ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.20 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 20 14:03:21 2011 ;; XFR size: 8 records (messages 1, bytes 250) ennydnstest01:~# cat /etc/bind/zones/slave/bind9testcarlos.be==> slave zone file $ORIGIN . $TTL 86400 ; 1 day bind9testcarlos.be IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101723 ; serial 600; refresh (10 minutes) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.uat. NS ns2.uat. $ORIGIN bind9testcarlos.be. $TTL 3600 ; 1 hour ns A 1.2.3.4 ns2 A 1.2.3.4 sgtest1 A 1.2.3.20 $ORIGIN sgtest1.bind9testcarlos.be. cs1 A 1.2.3.4 After a reload zonefile (not working with "rndc reload") ==> AXFR is done! lennydnstest01:~# rndc reload bind9testcarlos.be zone refresh queued lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.30 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 20 14:08:16 2011 ;; XFR size: 8 records (messages 1, bytes 250) Log in the the master: Apr 20 14:08:03 dnscust
