Zone transfer file is denied

Question

I am implementing this in my home network so If I swap the role from master to slave [ this machine should work as primary server for ns.insec and slave server for not.insec in machine 1 and in machine 2 slave to master [primary server for not.insec and slave server for ns.insec]. Here comes the same problem zone transfer permission denied.It works one way from machine 1 but machine 2 can not transfer the zone file.I have nor found any solution so far in case of swapping the role of dns server. I can dig and do reverse query from machine 2 but I can not do any **dig not.insec -t axfr **. Could someone advice me to fix this issue.

So I can do now a dig from machine 1

dig ns.insec -t axfr
dig not.insec axfr

So using these I verified that machine 1 transfer file to machine 2 But if I dig this from machine 2 I get this error message.

Here is the log file from machine2

Mar 16 14:26:50 ip-172-31-31-48 named[6131]: zone not.insec/IN: sending notifies (serial 7)
Mar 16 14:26:50 ip-172-31-31-48 named[6131]: zone ns.insec/IN: sending notifies (serial 10)
Mar 16 14:26:50 ip-172-31-31-48 named[6131]: zone 31.31.172.in-addr.arpa/IN: refresh: non-authoritative answer from master 172.31.22.11#53 (source 0.0.0.0#0)
Mar 16 14:50:50 ip-172-31-31-48 dhclient: DHCPREQUEST of 172.31.31.48 on eth0 to 172.31.16.1 port 67 (xid=0x1a6b53e6)
Mar 16 14:50:50 ip-172-31-31-48 dhclient: DHCPACK of 172.31.31.48 from 172.31.16.1
Mar 16 14:50:50 ip-172-31-31-48 dhclient: bound to 172.31.31.48 -- renewal in 1698 seconds.
Mar 16 14:40:54 ip-172-31-31-48 named[6131]: message repeated 4 times: [ zone 31.31.172.in-addr.arpa/IN: refresh: non-authoritative answer from master 172.31.22.11#53 (source 0.0.0.0#0)]
Mar 16 14:54:47 ip-172-31-31-48 named[6131]: client 172.31.31.48#52792 (ns.insec): zone transfer 'ns.insec/AXFR/IN' denied
Mar 16 14:55:05 ip-172-31-31-48 named[6131]: zone 31.31.172.in-addr.arpa/IN: refresh: non-authoritative answer from master 172.31.22.11#53 (source 0.0.0.0#0)
Mar 16 14:55:22 ip-172-31-31-48 named[6131]: client 172.31.31.48#49102 (not.insec): zone transfer 'not.insec/AXFR/IN' denied

here is the named.conf.local from machine 2

zone "not.insec" {
    type  master;
    file "/etc/bind/zones/db.not.insec";
    allow-transfer { 172.31.22.11; 127.0.0.1; };
    also-notify { 172.31.22.11; };
};

zone "48-20.31.31.172.in-addr.arpa"{
    type master;
    file "/etc/bind/zones/db.172.31.31.20-48";
    allow-transfer { 172.31.22.11; };
    also-notify { 172.31.22.11; };
};

zone "ns.insec" {
    type slave;
    file "db.ns.insec";
    masters { 172.31.22.11; };
};

zone "31.31.172.in-addr.arpa" {
    type slave;
    file "db.172.31.31";
    masters { 172.31.22.11; };
};

Here is the named.conf.options from machine 2

acl "allowed" {
    localhost;
    172.31.0.0/20;
    localnets;
};

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
   // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

   forwarders {
      8.8.8.8;
   };
     //========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys.  See https://www.isc.org/bind-keys
  //========================================================================
  dnssec-validation auto;

  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  forward only;
  allow-query { allowed; };
  allow-query-cache { allowed; };
  allow-recursion { allowed; };
  recursion yes;
  allow-transfer { 172.31.22.11; 127.0.0.1; };
};

Here is the file permission for /etc/bind/ in machine2

/etc/bind/ in machine 1 also having same permission

-rw-r--r-- 1 root root 2389 Mar  8 14:54 bind.keys
-rw-r--r-- 1 root root  237 Mar  8 14:54 db.0
-rw-r--r-- 1 root root  271 Mar  8 14:54 db.127
-rw-r--r-- 1 root root  237 Mar  8 14:54 db.255
-rw-r--r-- 1 root root  353 Mar  8 14:54 db.empty
-rw-r--r-- 1 root root  270 Mar  8 14:54 db.local
-rw-r--r-- 1 root root 3048 Mar  8 14:54 db.root
-rw-rw-r-- 1 bind bind  463 Mar  8 14:54 named.conf
-rw-rw-r-- 1 bind bind  490 Mar  8 14:54 named.conf.default-zones
-rw-rw-r-- 1 bind bind  724 Mar 16 14:20 named.conf.local
-rw-rw-r-- 1 bind bind 1113 Mar 16 14:26 named.conf.options
-rw-rw-r-- 1 bind bind 1112 Mar 16 06:03 named.conf.options.save
-rw-r----- 1 bind bind   77 Mar 15 21:21 rndc.key
drwxr-sr-x 2 bind bind 4096 Mar 16 05:07 zones
-rw-r--r-- 1 root root 1317 Mar  8 14:54 zones.rfc1918

named.conf.options in machine 1

acl "trusted" {
    localhost;
    172.31.0.0/20;
    localnets;
};

options {
    directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable 
// nameservers, you probably want to use them as forwarders.  
// Uncomment the following block, and insert the addresses replacing 
// the all-0's placeholder.

 forwarders {
    8.8.8.8;
 };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys.  See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
forward only;
allow-query-cache { trusted; };
allow-query { trusted; };
allow-recursion { trusted; };
recursion yes;
allow-transfer { 172.31.31.48; 127.0.0.1; };
//also-notify { trusted; };
};

here is named.conf.local in machine 1

zone "ns.insec" {
    type master;
    file "/etc/bind/zones/db.ns.insec";
    allow-transfer { 172.31.31.48; 127.0.0.1;  };
     also-notify { 172.31.31.48; };
};


zone "22.31.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.172.31.22";
allow-transfer { 172.31.31.48; };
also-notify { 172.31.31.48; };  
};


zone "not.insec" {
  type slave;
  file "db.not.insec";
  masters { 172.31.31.48; };
};


zone "11-20.22.31.172" {
   type slave ;
   file "db.172.31.22.20-11";
   masters { 172.31.31.48; };
 };

I would appreciate your effort.Thanks

Andrew B · Accepted Answer · 2016-03-16T17:33:02.110

1

This is the error from the logs on server #2:

Mar 16 14:55:22 ip-172-31-31-48 named[6131]: client 172.31.31.48#49102 (not.insec): zone transfer 'not.insec/AXFR/IN' denied

This is how your zone is configured on server #2:

zone "not.insec" {
    type  master;
    file "/etc/bind/zones/db.not.insec";
    allow-transfer { 172.31.22.11; 127.0.0.1; };
    also-notify { 172.31.22.11; };
};

Read those two again very, very carefully. The hint is in bold.

edited Mar 16 '16 at 17:33

answered Mar 16 '16 at 17:11

Andrew B

31,858
12
90
128

The error is very tricky though. Yes, I checked that and tried to figure out the problem.Thought that It clould be related to file permission `-rw-rw-r-- 1 bind bind 814 Mar 16 16:56 named.conf.local` but no. From the machine1 I have given the same permission where it works perfectly.But, here I am bit stuck. Do not know where lies the problem.According to your comment I investigated few things on **not.insec** but not able to find out the possible issue. – bhordupur Mar 16 '16 at 17:19
1

@AndrewB The error message is not about the same zone as you included the config for, is it? – Håkan Lindqvist Mar 16 '16 at 17:28
Is something misconfigured in `named.conf.options` in **machine2**? – bhordupur Mar 16 '16 at 17:45
Yes, I was being cryptic because I wanted you to have some practice at identifying these problems on your own. The `allow-transfer` statement specifies whether zone transfers will be allowed or not. The IP address being rejected (in bold) is not in that list. Your other zone (ns.insec) does not explicitly specify its own `allow-transfer` and will instead inherit the `allow-transfer` settings from the `options {};` block. – Andrew B Mar 16 '16 at 18:30
@Andrew Yeah it fixes this issue.Ok, I was wrong.My thinking was Server2 [role primary] should transfer to server1. Therefore I did not add its own IP in `allow-transfer` but now I realised that since I swapped it for being master and slave on the same machine.Thanks a lot – bhordupur Mar 16 '16 at 18:46
Please mark the question as answered so that it doesn't show up in searches for unanswered questions. Thanks! – Andrew B Mar 16 '16 at 19:22

Zone transfer file is denied

1 Answers1