thr3ads.net - nsd users - [nsd-users] Replication Failing [Jul 2022]

If this information is useful, please help other people find it:
Share via:

Peter Fraser

2022-Jul-19 16:55 UTC

[nsd-users] Replication Failing

Hi All,
I have a troublesome problem I would sppreciate some help with. All firewalls
are off. I have two DNS Servers, both running NSD and unbound.

DNS1 with NSD.conf relevant settings
IP: 192.168.1.2
Unbound Port: 53
NSD Port: 54000

ip-address: 192.168.1.2
do-ip4: yes
port: 54000
hide-version: yes

pattern:
        name: "dns2"
        notify: 192.168.1.3 at 53000 NOKEY
        provide-xfr: 192.168.1.3 at 53000 NOKEY
        outgoing-interface: 192.168.1.2 at 54000

zone:
        name: "my_domain.net"
        zonefile: my_domain.net.zone
        include-pattern: "dns2"


DNS2 with nsd.conf relevant settings
IP: NSD 192.168.1.3
Unbound Port: 53
NSD Port: 53000

ip-address: 192.168.1.3
do-ip4: yes
port: 53000
hide-version: yes

pattern:
        name: "dns1"
        allow-notify: 192.168.1.2 at 54000 NOKEY
        request-xfr: 192.168.1.2 at 54000 NOKEY
        outgoing-interface: 192.168.1.3 at 5300

zone:
        name: "my_domain.net"
        zonefile: my_domain.net.zone
        include-pattern: "dns1"

when I run nsd-control transfer my_domain.net from the slave, I get  nsd[58858]:
error: xfrd: zone my_domain.net received error code REFUSED from 192.168.1.2 at
54000




-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220719/05d65208/attachment.htm>

Anand Buddhdev

2022-Jul-20 09:32 UTC

head link

[nsd-users] Replication Failing

On 19/07/2022 18:55, Peter Fraser via nsd-users wrote:

Hi Peter,

This is a common misunderstanding with most people. They mistakenly 
assume that if a process is listening on port X, that it will also 
initiate outgoing connections from the same port X.

Even though your DNS2 NSD is _listening_ on port 53000, when it makes an 
_outgoing_ TCP connection to DNS1 NSD for XFR of "my_domain.net", it 
will use a random source port. However, you are _only_ allowing 
connections from DNS2's IP and a specific source port in the 
"provide-xfr" directive on DNS1's NSD. Just remove the @53000.

Regards,
Anand
> DNS1 with NSD.conf relevant settings
> IP: 192.168.1.2
> Unbound Port: 53
> NSD Port: 54000
> 
> ip-address: 192.168.1.2
> do-ip4: yes
> port: 54000
> hide-version: yes
> 
> pattern:
>          name: "dns2"
>          notify: 192.168.1.3 at 53000 NOKEY
>          provide-xfr: 192.168.1.3 at 53000 NOKEY
>          outgoing-interface: 192.168.1.2 at 54000
> 
> zone:
>          name: "my_domain.net"
>          zonefile: my_domain.net.zone
>          include-pattern: "dns2"
[snip]

nsd users - Jul 2022 - Replication Failing

[nsd-users] Replication Failing

[nsd-users] Replication Failing