Question Configuration of slave DNS

[Tecnico Absol]

Hi,
I just installed BIND on another server and I'm trying to configurate a slave DNS.

Here's the steps I followed:

1. installed BIND on the secondary server
2. installed Slave DNS manager on Plesk
   
3. configurated named.conf on the secondary server as follows
   

   options {
       directory "C:\named\etc";
       allow-new-zones yes;
   };
   
       key "rndc-key-IP_MASTER_DNS" {
         algorithm hmac-md5;
         secret "SECRETKEY";
       };
     
       controls {
           inet * port 953 allow {IP_MASTER_DNS; 127.0.0.1; } keys { "rndc-key-IP_MASTER_DNS"; };
       };

   
   
4. opened the 953 port on the secondary server
5. configured Slave DNS manager on Plesk

Now, on plesk I get the green dot near the IP of the Slave DNS so it should mean everything is fine. Except I can't find the zones files on the slave DNS and if I stop the master DNS my domains won't resolve.

What am I missing here?
Thanks a lot.

 

[AYamshanov]

Hi Tecnico Absol,

As I see, your slave DNS is installed on Windows. I never configured the slave DNS on Windows but ...

- I think you need to enable logging and check logfiles as a minimum.
- Do you use Plesk on Windows? Did you add slave DNS as NS-record into a domain zone? (Restricting DNS Zones Transfer)

Please keep us posted, it is an interesting experience.

 

[Tecnico Absol]

First of all, thanks for you answer!

Logging of Bind is enabled, but says nothing about errors (there was an error message but before the named.conf configuration so now everything should be fine).
I use Plesk on Windows and both the Plesk and the Slave machine are with Windows Server.

I just configured the IP as your link mentions but I still can't find the zones on my Slave DNS.

NOTE: it seems Plesk is creating a .nzf file on the Slave DNS with all the edit I made to the master DNS, but that's it: no zone files are created.

 

[AYamshanov]

What version of Plesk do you use? And what version of Slave DNS Manager?

Could you run rndc with parameters on the primary server in command line? And post last lines from logs on slave DNS.

Something like:

C:\path\to\rndc -c "C:\Program Files (x86)\Plesk\var\modules\slave-dns-manager\slave_IP_SLAVE_DNS.conf" -b IP_MASTER_DNS -s IP_SLAVE_DNS -p 953 -y rndc-key addzone example.com "{ type slave; file \"example.com\"; masters { IP_MASTER_DNS; }; };"​

I haven't a Windows with BIND to check this for errors/typos/mistakes/etc.

 

[Tecnico Absol]

Should I do that for every domain or just for one?

 

[AYamshanov]

No, this is not solution or workaround. I hope this helps diagnose the issue (let's see an output of the command and logfiles). One of a domain will be enough.

 

[Tecnico Absol]

Ok, just tried this command:

C:\Program Files (x86)\Parallels\Plesk\dns\bin> rndc -c "%plesk_dir%\var\modules
\slave-dns-manager\slave_SLAVEIP.conf" -b MASTERIP -s SLAVEIP -
p 953 -y rndc-key addzone domain.it "{ type slave; file \"domain.it\"; masters { MASTERIP; }; };"

No error whatsoever, but still no zone file created on the slave DNS.

 

[AYamshanov]

Could you show log-section in BIND configs at slave DNS? And could you increase a verbosity level? Otherwise, we have no any information for analysis.

See example at bottom of DNS BIND9 logging Clause (and "severity debug;")

 

[AYamshanov]

And one more little question: Are you servers work behind NAT or not?

 

[Tecnico Absol]

Ok, I get these kind of errors:

08-giu-2017 15:48:37.656 xfer-in: info: transfer of 'domain.com/IN' from master_dns#53: connected using other_ip_of__machine_with_slave_dns#57321
08-giu-2017 15:48:37.656 xfer-in: error: transfer of 'domain.com/IN' from master_dns#53: failed while receiving responses: REFUSED
08-giu-2017 15:48:37.656 xfer-in: info: transfer of 'domain.com/IN' from master_dns#53: Transfer status: REFUSED
08-giu-2017 15:48:37.656 xfer-in: info: transfer of 'domain.com/IN' from master_dns#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

08-giu-2017 15:54:45.730 xfer-in: info: zone domain.it/IN: zone transfer deferred due to quota

08-giu-2017 15:54:45.730 general: info: zone domain.net/IN: Transfer started.
08-giu-2017 15:54:45.730 xfer-in: error: transfer of 'domain.net/IN' from master_dns#53: failed while receiving responses: REFUSED

Also: no, I'm not behind a NAT.

 

[AYamshanov]

Could you allow on master transfer to 'other_ip_of_machine_with_slave_dns' (Restricting DNS Zones Transfer)? Or maybe need use "other_ip_of_machine_with_slave_dns" in settings of Slave DNS Manager. The decision should based on your network topology.

 

[Tecnico Absol]

Could you allow on master transfer to 'other_ip_of_machine_with_slave_dns' (Restricting DNS Zones Transfer)? Or maybe need use "other_ip_of_machine_with_slave_dns" in settings of Slave DNS Manager. The decision should based on your network topology.

I added both slave_ip and 'other_ip_of_machine_with_slave_dns to the allowed IP on Plesk, but still no luck.

 

[AYamshanov]

Do you still see the same error or something new?

 

[Tecnico Absol]

From the log something seems to be changed (still need to investigate further), but I can't see the zone files on the slave DNS.

Do you know where they should be stored? Because there's nothing in my C:\named\etc folder except for named.conf, named.pid, session.key and $numbers.nzf

 

[AYamshanov]

heh...

"$numbers.nzf" - this file should consist information about the dynamically created zone. Directive "file" in "$numbers.nzf" point to where to save file with the zone. This should be inside directory pointed directive "directory" in "named.conf". If you have "$numbers.nzf", rndc work perfectly.

Next step is resolving the issue with connectivity between slave DNS and primary DNS. Why primary DNS is refused connection from slave DNS.

 

[Tecnico Absol]

Yeah, I see that the files contains all the edit I did to my master DNS since I configurated the slave DNS.

The problem is that I can't find on the slave DNS all the zone files (in the master DNS those are stored in C:\Program Files (x86)\Parallels\Plesk\dns\var).

 

[AYamshanov]

I think new files should save in "C:\named\etc" too, but they will be saved only after success connection between DNSes.

 

[Tecnico Absol]

Ok I restarted and enabled the errors log again.

Here's the only error I get:

09-giu-2017 10:06:36.954 xfer-in: error: transfer of 'domain.it/IN' from master_dns#53: failed while receiving responses: REFUSED

Could this be a Firewall problem? Shall I check something else except the port 953 on the slave DNS?

 

[AYamshanov]

953/tcp port is used for the command from "Slave DNS Manager" on master DNS to slave DNS. This connectivity is good.

- After the command is received, slave DNS connects to 53/tcp of master DNS and retrieve zone file. This is the issue now. Yes, it maybe a firewall problem.
- BIND on master DNS have ACL, this ACL is restricting access to transfer of zones. Check additionally named.conf on master DNS; ACL should allow transfer to slave DNS.

 

[Tecnico Absol]

On the master DNS I have the inbound port 53 open (both TCP and UDP).

On the slave DNS I have the inbound and outgoing port 53 open (both TCP and UDP).

I'm starting to think that the problem could be the other_ip_of_slave_DNS: it's not listed on the named.conf in the master DNS:

    allow-transfer {
        common-allow-transfer;
        slave_ip;
        master_ip;
        };