Replication Failing

NSD
1

Hi All,
I have a troublesome problem I would sppreciate some help with. All firewalls are off. I have two DNS Servers, both running NSD and unbound.

DNS1 with NSD.conf relevant settings
IP: 192.168.1.2
Unbound Port: 53
NSD Port: 54000

ip-address: 192.168.1.2
do-ip4: yes
port: 54000
hide-version: yes

pattern:
name: “dns2”
notify: 192.168.1.3@53000 NOKEY
provide-xfr: 192.168.1.3@53000 NOKEY
outgoing-interface: 192.168.1.2@54000

zone:
name: “my_domain.net”
zonefile: my_domain.net.zone
include-pattern: “dns2”

DNS2 with nsd.conf relevant settings
IP: NSD 192.168.1.3
Unbound Port: 53
NSD Port: 53000

ip-address: 192.168.1.3
do-ip4: yes
port: 53000
hide-version: yes

pattern:
name: “dns1”
allow-notify: 192.168.1.2@54000 NOKEY
request-xfr: 192.168.1.2@54000 NOKEY
outgoing-interface: 192.168.1.3@5300

zone:
name: “my_domain.net”
zonefile: my_domain.net.zone
include-pattern: “dns1”

when I run nsd-control transfer my_domain.net from the slave, I get nsd[58858]: error: xfrd: zone my_domain.net received error code REFUSED from 192.168.1.2@54000

2

Hi Peter,

This is a common misunderstanding with most people. They mistakenly assume that if a process is listening on port X, that it will also initiate outgoing connections from the same port X.

Even though your DNS2 NSD is _listening_ on port 53000, when it makes an _outgoing_ TCP connection to DNS1 NSD for XFR of "my_domain.net", it will use a random source port. However, you are _only_ allowing connections from DNS2's IP and a specific source port in the "provide-xfr" directive on DNS1's NSD. Just remove the @53000.

Regards,
Anand

DNS1 with NSD.conf relevant settings
IP: 192.168.1.2
Unbound Port: 53
NSD Port: 54000

ip-address: 192.168.1.2
do-ip4: yes
port: 54000
hide-version: yes

pattern:
         name: "dns2"
         notify: 192.168.1.3@53000 NOKEY
         provide-xfr: 192.168.1.3@53000 NOKEY
         outgoing-interface: 192.168.1.2@54000

zone:
         name: "my_domain.net"
         zonefile: my_domain.net.zone
         include-pattern: "dns2"

[snip]

3

Fantastic. Appreciate the response. Works perfectly now. Thank you very much.