[prev in list] [next in list] [prev in thread] [next in thread]
List: bind9-users
Subject: RE: Bind 9 zone transfer question
From: schurch () lifemasters ! com
Date: 2002-10-30 19:17:09
[Download RAW message or body]
Hello everyone,
I had some additional information to provide on this problem. We are using
BIND 9.2.0, which is the version that has a bug, whereby the BIND service
keeps stopping at random intervals. Also, on our slave server, I was able to
rule out the routing issue. We removed the internal interface so that it no
longer had entries in the routing table, then rebooted and stopped/start the
BIND service to try and initiate a zone transfer, but we still ran into the
same problems. I have included the name.conf for our master BIND server
below, for comparisons with the slave config that I originally included.
Finally, we have not yet enabled any TCPIP filtering on either servers, so
that can be ruled out as a potential cause. We can also run successful trace
routes between both servers. Anyone have any other ideas of why we can't
initiate a zone transfer between these 2 servers?
Thanks,
Simon
# /etc/named.conf
#
acl nameservers { 208.46.211.67; };
options {
transfers-in 10;
transfer-format one-answer;
notify-source 63.175.161.67;
# The directory statement defines the name server´s
# working directory
directory "c:\WINNT\System32\dns\etc";
# The forwarders record contains a list of servers to
# which queries should be forwarded. Enable this line and
# modify the IP-address to your provider's name server.
# Up to three servers may be listed.
forwarders { 204.117.214.10; 199.2.252.10; 204.97.212.10; };
# Enable the next entry to prefer usage of the name
# server declared in the forwarders section.
forward first;
# The listen-on record contains a list of local network
# interfaces to listen on. Optionally the port can be
# specified. Default is to listen on all interfaces found
# on your system. The default port is 53.
#listen-on port 53 { 127.0.0.1; };
# The listen-on-v6 record enables or disables listening
# on IPV6 interfaces. Allowed values are 'any' and 'none'
# or a list of addresses. IPv6 can only be used with
# kernel 2.4 in this release.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall
# stands between the local server and the internet.
#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;
# The allow-query record contains a list of networks or
# IP-addresses to accept and deny queries from. The
# default is to allow queries from all hosts.
#allow-query { localhost; nameservers; };
# If notify is set to yes (default), notify messages are
# sent to other name servers when the the zone data is
# changed. Instead of setting a global 'notify' statement
# in the 'options' section, a separate 'notify' can be
# added to each zone definition.
#notify YES;
#also-notify { 208.46.211.67; };
#allow-notify { nameservers; };
allow-transfer { localhost; nameservers; };
#allow-recursion { none; };
};
# The following three zone definitions don't need any modification.
# The first one defines localhost while the second defines the
# reverse lookup for localhost. The last zone "." is the
# definition of the root name servers.
zone "localhost" in {
type master;
file "localhost.db";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "0.0.127.in-addr.arpa.db";
};
zone "." in {
type hint;
file "named.root";
};
# You can insert further zone records for your own domains below
zone "lifemasters.com" {
type master ;
file "lifemasters.com.db";
allow-query {
any ;
};
allow-update {
none;
};
forwarders { };
};
-----Original Message-----
From: Church, Simon
Sent: Wednesday, October 23, 2002 3:20 PM
To: 'bind9-users@isc.org'
Subject: FW: Bind 9 zone transfer question
forgot to copy the group on this additional info.....
-----Original Message-----
From: Church, Simon
Sent: Wednesday, October 23, 2002 3:16 PM
To: 'Matthias Krawutschke'
Subject: RE: Bind 9 zone transfer question
Here it is:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 a0 c9 a7 c9 d1 ...... Intel(R) PRO Adapter
0x1000004 ...00 90 27 ac 90 4a ...... Intel(R) PRO Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 208.46.211.65 208.46.211.67 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.110.0 255.255.255.0 192.168.110.4 192.168.110.4 1
192.168.110.4 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.110.255 255.255.255.255 192.168.110.4 192.168.110.4 1
208.46.211.64 255.255.255.240 208.46.211.67 208.46.211.67 1
208.46.211.67 255.255.255.255 127.0.0.1 127.0.0.1 1
208.46.211.255 255.255.255.255 208.46.211.67 208.46.211.67 1
224.0.0.0 224.0.0.0 192.168.110.4 192.168.110.4 1
224.0.0.0 224.0.0.0 208.46.211.67 208.46.211.67 1
255.255.255.255 255.255.255.255 192.168.110.4 192.168.110.4 1
Default Gateway: 208.46.211.65
===========================================================================
Persistent Routes:
None
Route Table
-----Original Message-----
From: Matthias Krawutschke [mailto:Matthias@krawutschke.com]
Sent: Wednesday, October 23, 2002 3:32 PM
To: 'schurch@lifemasters.com'
Subject: AW: Bind 9 zone transfer question
Hey,
the reason is, that Windows must know, which interface must be taken to go
out. So please make on
a windows - Box the following:
netstat -rn
and send it to me. I think that there are no route to the primary directly
or anything else.
BIND takes the right way if it can find them.
Kind regards
Matthias
-----Ursprüngliche Nachricht-----
Von: schurch@lifemasters.com [mailto:schurch@lifemasters.com]
Gesendet: Mittwoch, 23. Oktober 2002 21:56
An: Matthias Krawutschke
Betreff: RE: Bind 9 zone transfer question
thanks for responding.....I am able to ping the master and slave machines
from each other, since they both have the external interfaces/NICs. The
slave machine also has an internal NIC since it is in a COLO and needs to be
accessed by some of the local machines. It could well be a routing problems,
however I did try to disable the internal NIC, in the hope that any
communication would then be forced to go over the external NIC. It did not
seem to make any difference. Is there any way to configure BIND so that it
uses a specific NIC. At the moment, I don't know how BIND wil differentiate
between the 2 of them?
Simon
-----Original Message-----
From: Matthias Krawutschke [ mailto:Matthias@krawutschke.com
<mailto:Matthias@krawutschke.com> ]
Sent: Wednesday, October 23, 2002 2:53 PM
To: 'schurch@lifemasters.com'
Subject: AW: Bind 9 zone transfer question
Hey,
i think that you have an Routing Problem not a DNS problem at this point.
You see on your Master-DNS you have 63.175.161.67 and on the Slave-DNS
208.46.211.67 or 192.168.110.4. Which of these machine makes the routing or
did you have an external router. If so, so please check that. Can you make a
ping from one machine to the other machine?
Kind regards
Matthias
-----Ursprüngliche Nachricht-----
Von: schurch@lifemasters.com [ mailto:schurch@lifemasters.com
<mailto:schurch@lifemasters.com> ]
Gesendet: Mittwoch, 23. Oktober 2002 21:40
An: bind9-users@isc.org
Betreff: Bind 9 zone transfer question
Hello,
I am wondering if you can help me with a question relating to a BIND DNS
installation on a windows 2000 server. We recently moved to this platform
and are having a problem with the initial zone transfer between the master
and slave. Unfortunately our DNS expect is out of town for a few weeks, so
my experience of working with BIND is rather limited.
We set up the master server 63.175.161.67 (only has a single interface) and
it appears to be working fine. We then tried setting up the slave server,
which has 2 interfaces. The external one is 208.46.211.67 and the internal
interface is 192.168.110.4. However, we don't seem able to get any zone
transfers working between the 2 servers. When I look in the event logs on
the slave server, there are 2 error logs for each zone.
One error states: "zone xxxxx/IN:refresh;retry limit for master
63.175.161.67 #53 exceeded". The other error states "zone
xxxx/IN:refresh:failure trying master 63.175.161.67 #53:timed out".
It would appear that our slave is not able to reach the master. We
originally had a META IP DNS installation set up and were able to do zone
transfers, so from a networking perspective it has worked before. I thought
that the BIND software might be trying to reach the master server over the
internal interface (instead of over the external interface), but after
disabling it the same errors came up. The config file for the slave is
included below. I was wondering if you might have a moment to quickly check
it out to see if it looks correct. Also if you have any other suggestions on
how I can troubleshoot this, I would be very grateful.
Many thanks,
Simon
Config file (only includes one of the zones)
# /etc/named.conf
#
acl nameservers { 63.175.161.67; };
options {
transfers-in 10;
transfer-format one-answer;
notify-source 208.46.211.67;
# The directory statement defines the name server´s
# working directory
directory "c:\WINNT\System32\dns\etc";
# The forwarders record contains a list of servers to
# which queries should be forwarded. Enable this line and
# modify the IP-address to your provider's name server.
# Up to three servers may be listed.
forwarders { 208.45.146.25; 208.45.144.25; 216.207.84.25; };
# Enable the next entry to prefer usage of the name
# server declared in the forwarders section.
forward first;
# The listen-on record contains a list of local network
# interfaces to listen on. Optionally the port can be
# specified. Default is to listen on all interfaces found
# on your system. The default port is 53.
#listen-on port 53 { 127.0.0.1; };
# The listen-on-v6 record enables or disables listening
# on IPV6 interfaces. Allowed values are 'any' and 'none'
# or a list of addresses. IPv6 can only be used with
# kernel 2.4 in this release.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall
# stands between the local server and the internet.
#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;
# The allow-query record contains a list of networks or
# IP-addresses to accept and deny queries from. The
# default is to allow queries from all hosts.
#allow-query { localhost; nameservers; };
# If notify is set to yes (default), notify messages are
# sent to other name servers when the the zone data is
# changed. Instead of setting a global 'notify' statement
# in the 'options' section, a separate 'notify' can be
# added to each zone definition.
#notify YES;
#also-notify { 63.175.161.67; };
#allow-notify { nameservers; };
allow-transfer { localhost; nameservers; };
#allow-recursion { none; };
};
# The following three zone definitions don't need any modification.
# The first one defines localhost while the second defines the
# reverse lookup for localhost. The last zone "." is the
# definition of the root name servers.
zone "localhost" in {
type master;
file "localhost.db";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "0.0.127.in-addr.arpa.db";
};
zone "." in {
type hint;
file "named.root";
};
# You can insert further zone records for your own domains below
zone "lifemasters.com" {
type slave ;
file "lifemasters.com.db";
masters {63.175.161.67;};
allow-query {
any ;
};
forwarders { };
};
Simon Church
Lead Systems Engineer
LifeMasters Supported SelfCare, Inc.
(650) 829-5251
schurch@lifemasters.com
Please note for future reference regarding procedures and policies on how
and when to contact the Help Desk, the Help Desk manual can be accessed and
viewed at http://home/LMIntranet/help/helpdesk.asp
<http://home/LMIntranet/help/helpdesk.asp>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic