Hi All,
I have a troublesome problem I would sppreciate some help with. All firewalls
are off. I have two DNS Servers, both running NSD and unbound.
DNS1 with NSD.conf relevant settings
IP: 192.168.1.2
Unbound Port: 53
NSD Port: 54000
ip-address: 192.168.1.2
do-ip4: yes
port: 54000
hide-version: yes
pattern:
name: "dns2"
notify: 192.168.1.3 at 53000 NOKEY
provide-xfr: 192.168.1.3 at 53000 NOKEY
outgoing-interface: 192.168.1.2 at 54000
zone:
name: "my_domain.net"
zonefile: my_domain.net.zone
include-pattern: "dns2"
DNS2 with nsd.conf relevant settings
IP: NSD 192.168.1.3
Unbound Port: 53
NSD Port: 53000
ip-address: 192.168.1.3
do-ip4: yes
port: 53000
hide-version: yes
pattern:
name: "dns1"
allow-notify: 192.168.1.2 at 54000 NOKEY
request-xfr: 192.168.1.2 at 54000 NOKEY
outgoing-interface: 192.168.1.3 at 5300
zone:
name: "my_domain.net"
zonefile: my_domain.net.zone
include-pattern: "dns1"
when I run nsd-control transfer my_domain.net from the slave, I get nsd[58858]:
error: xfrd: zone my_domain.net received error code REFUSED from 192.168.1.2 at
54000
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220719/05d65208/attachment.htm>
On 19/07/2022 18:55, Peter Fraser via nsd-users wrote: Hi Peter, This is a common misunderstanding with most people. They mistakenly assume that if a process is listening on port X, that it will also initiate outgoing connections from the same port X. Even though your DNS2 NSD is _listening_ on port 53000, when it makes an _outgoing_ TCP connection to DNS1 NSD for XFR of "my_domain.net", it will use a random source port. However, you are _only_ allowing connections from DNS2's IP and a specific source port in the "provide-xfr" directive on DNS1's NSD. Just remove the @53000. Regards, Anand> DNS1 with NSD.conf relevant settings > IP: 192.168.1.2 > Unbound Port: 53 > NSD Port: 54000 > > ip-address: 192.168.1.2 > do-ip4: yes > port: 54000 > hide-version: yes > > pattern: > name: "dns2" > notify: 192.168.1.3 at 53000 NOKEY > provide-xfr: 192.168.1.3 at 53000 NOKEY > outgoing-interface: 192.168.1.2 at 54000 > > zone: > name: "my_domain.net" > zonefile: my_domain.net.zone > include-pattern: "dns2"[snip]