[Problem] DNS Master/Slave Zone Transfer

Issues related to configuring your network
Post Reply
weelow
Posts: 1
Joined: 2017/03/18 08:50:56

[Problem] DNS Master/Slave Zone Transfer

Post by weelow » 2017/03/18 09:05:26

I am using Centos 7 on all 3 servers. Main server is hosting the accounts and has plesk and dns slave manager extension.

Plesk-WordPress-Host
| 10.0.0.1 Master|
-----------------------
\ \
\ \
-----\----NS1--------- --\------NS2---------
| 10.0.0.201 Slave| | 10.0.0.202 Slave|
------------------------ ------------------------

- Basically when wordpress is provisioned on the master server dns records are created as part of a template with
NS1.ourdns.com
NS2.ourdns.com
Plesk001.ourdns.com

- On the master server plesk automatically generated zone files and records and the named.conf file.
-the dns slave manager sends transfers to slave servers and on the slave server logs we get "transfer failed due to NXDOMAIN.
- We ensured ports 53 and 953 are open using telnet TCP and UDP
- We disabled SElinux feature to block transfers and in the end ended up completely shutting it down and disabling on master and slave servers.

Master Server named.conf

Code: Select all

options {
listen-on port 53 { any; };
allow-recursion { localnets; };
directory "/var";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
allow-query { any; };

};

key "rndc-key" {
algorithm hmac-md5;
secret "BeMvB2390oWE20kKv9x50M==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "." {
type hint;
file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};


zone "clientwebsite.com" {
type master;
file "clientwebsite.com";
allow-transfer {
10.0.0.1;
10.0.0.200;
10.0.0.201;
common-allow-transfer;
};
};
acl common-allow-transfer {
10.0.0.201;
10.0.0.202;
};
Slave Server NS1 Named.conf

Code: Select all

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-recursion { localnets; };
allow-new-zones yes;

recursion no;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

controls {
inet * port 953 allow { 10.0.0.1; localnets; localhost; } keys { "rndc-key"; };
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";
Settings on the registrar:
On our Registrar, we registered 2 DNS server hosts
---------NS1--------- ---------NS2---------
| 10.0.0.201 Slave| | 10.0.0.202 Slave|
------------------------ ----------------------
| 55.130.130.201 | | 55.130.130.202 |
-----------------------------------------------
| NS1.ourdns.com | | NS1.ourdns.com|
-----------------------------------------------

On the client's registrar we set his name servers pointing to our slaves
NS1.ourdns.com
NS2.ourdns.com

This way when records are created on the master server, they will be forwarded to the 2x slave servers that are authoritative for the domain and manage dns for the domain because they are set in the registrar of domain example.com.

Troubleshooting and diagnostics:
On the slave server:

Code: Select all

sudo -s
rndc querylog
tail -F /var/log/messages
On the master server plesk:
We create domain name example.com

On the registrar dns settings for example.com:
NS1.ourdns.com
NS2.ourdns.com

On the slave server:
these two files were created automatically

Code: Select all

-rwxrwxrwx. 1 root  named  259 Mar 16 22:38 3bf305731dd26307.nzf
-rwxrwxrwx. 1 root  named    0 Mar 15 22:00 db-DMbIKztb
vim 3bf305731dd26307.nzf

Code: Select all

zone "example.com" { type slave; file "example.com"; masters { 55.130.130.1; }; };
vim db-DMbIKztbf

Code: Select all

blank, this file was empty with nothing in it.
the zone file example.com with all the records was not created.

On the slave server:

Code: Select all

systemctl restart named-chroot
tail -F /var/log/messages
tail -F /var/log/messages

Code: Select all

Mar 18 08:26:10 ns1 named[11809]: zone example.com/IN: Transfer started.
Mar 18 08:26:10 ns1 named[11809]: transfer of 'example.com/IN' from 55.130.130.1#53: connected using 10.0.0.201#48771
Mar 18 08:26:10 ns1 named[11809]: transfer of 'example.com/IN' from 55.130.130.1#53: failed while receiving responses: NXDOMAIN
Mar 18 08:26:10 ns1 named[11809]: transfer of 'example.com/IN' from 55.130.130.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.120 secs (0 bytes/sec)
On the master server:

Code: Select all

 dig @ns1.ourdns.com any example.com
Response

Code: Select all

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @ns1.ourdns.com any example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49678
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN ANY

;; Query time: 3 msec
;; SERVER: 55.130.130.201#53(55.130.130.201)
;; WHEN: Sat Mar 18 10:35:58 EET 2017
;; MSG SIZE rcvd: 39
On the slave log file

Code: Select all

Mar 18 08:35:58 ns100 named[11809]: client 55.130.130.1#57827 (example.com): query: example.com IN ANY +E (10.0.0.201)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: [Problem] DNS Master/Slave Zone Transfer

Post by TrevorH » 2017/03/18 11:16:03

- We disabled SElinux feature to block transfers and in the end ended up completely shutting it down and disabling on master and slave servers.
Don't do that. It's not necessary and opens you up to security vulnerabilities. If you must, then set it to permissive mode and then it will log all things that would have been denied and then let them happen anyway. That way you get enough diagnostic information in /var/log/audit/audit.log to solve the problems using our wiki article - http://wiki.centos.org/HowTos/SELinux
key "rndc-key" {
algorithm hmac-md5;
secret "BeMvB2390oWE20kKv9x50M==";
};
If that's your real key then it's time to change it.
- We ensured ports 53 and 953 are open using telnet TCP and UDP
953 should only be open to localhost, not externally.

Post the output from iptables-save
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: [Problem] DNS Master/Slave Zone Transfer

Post by mghe » 2017/03/18 12:24:16

Add zone settings in slave named config and indicate master server.

For more secure use TSIG-secured for master - slave communications.

BTW: if you use Plesk, You should ask in Plesk forum.

Post Reply