Named can't transfer slave

Seeker

Seeker

Code: 
transfer of 'in-addr.arpa/IN' from 192.5.5.241#53: failed to connect: timed out
transfer of 'arpa/IN' from 192.5.5.241#53: failed to connect: timed out

Cought in sockstat:
Code: 
bind     named      28675 25 tcp4   A.B.208.173:62150  192.5.5.241:53

Just for fun, when I deleted:
Code: 
/var/named/etc/namedb/slave/arpa.slave
/var/named/etc/namedb/slave/in-addr.arpa.slave
/var/named/etc/namedb/slave/root.slave

Other hosts conecting through ne can't resolve domain names :p

And those files can't be retrieved because upper main problem

Here is a PF's log:
Code: 
18:35:41.587818 IP starforce.biz.56055 > f.root-servers.net.domain: 20657 [1au] SOA? arpa. (33)
18:35:41.634533 IP starforce.biz.62200 > f.root-servers.net.domain: S 2395225049:2395225049(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp[|tcp]>
18:36:08.126510 IP starforce.biz.57940 > f.root-servers.net.domain: 5594 [1au] SOA? . (28)
18:36:08.173358 IP starforce.biz.57596 > f.root-servers.net.domain: S 3446537803:3446537803(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp[|tcp]>
18:37:02.558393 IP starforce.biz.64977 > f.root-servers.net.domain: 10337 [1au][|domain]
 
You will need to allow both tcp and udp access to port 53.
 
SirDice said:
You will need to allow both tcp and udp access to port 53.
Click to expand...

I already have pf rule for that:
Code: 
pass in log inet proto { tcp, udp } from any to ($ext_if) port 53
 
Add keep state to that line. It also has to be able to respond. Also make sure named is listening on that interface/ip address.
 
sockstat says it is listening on that interface/ip address, both tcp4 and udp4

pfctl -s rules:
pass in log inet proto tcp from any to ($ext_if) port = domain flags S/SA keep state
pass in log inet proto udp from any to ($ext_if) port = domain keep state
 
No need to use flags S/SA, scrub will take care of any weird combination anyway.

Just:
Code: 
pass in log inet proto {tcp,udp} from any to ($ext_if) port 53 keep state
 
'keep state' and 'flags S/SA' (tcp) are the default now in pf. If you don't add them they will still show up in [cmd=]pftcl -s rules[/cmd].
 
I wana be a slave for:
Code: 
zone "." {
        type slave;
        file "slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "arpa" {
        type slave;
        file "slave/arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "in-addr.arpa" {
        type slave;
        file "slave/in-addr.arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
}
 
SirDice said:
You can't slave the root servers.
Click to expand...

That crazy..., I am not :pP

Anyway, it did worked before.
Results were this files:
Code: 
/var/named/etc/namedb/slave/arpa.slave
/var/named/etc/namedb/slave/in-addr.arpa.slave
/var/named/etc/namedb/slave/root.slave

So PCs connecting through main PC wouldn't have to query root or other DNS server as it is cached there.

That is way, as soon as I deleted those files, they couldn't resolve domains

I needed to disable that feature in order to make them able to resolve domains again
 
Hah .. you are abusing root servers. Wait some time when dnssec enabled no one able to to do domain hijacking. If you are good user, set dns caching using djbdns, bind or pdns. This is wrong on many level.
 
LOL!
USRA -ABUSA

I use bind.

As I see it, after this is being done, root servers are being less pestered

I simply don't know why this has stopped working.

Now I've set it to:
Code: 
zone "." {type hint; file "named root"; };

But I would really like to slave those zones from root name servers
 
DutchDaemon said:
'keep state' and 'flags S/SA' (tcp) are the default now in pf. If you don't add them they will still show up in [cmd=]pftcl -s rules[/cmd].
Click to expand...

This is true for RELENG_7 and later.

For RELENG_6 and earlier, the PF version is equivalent to that of OpenBSD 3.7. Since "keep state" and "flags S/SA" were first set to default in OpenBSD 4.1, they still need to be added in /etc/pf.conf.
 
Seeker said:
As I see it, after this is being done, root servers are being less pestered
Click to expand...
Not actually. DNS caching is more effective for this. If that weren't the case, everyone would be slaving the root zones, and the root maintainers would be promoting it.
 
dennylin93 said:
This is true for RELENG_7 and later.

For RELENG_6 and earlier, the PF version is equivalent to that of OpenBSD 3.7. Since "keep state" and "flags S/SA" were first set to default in OpenBSD 4.1, they still need to be added in /etc/pf.conf.
Click to expand...

I'm not advocating leaving them out in any version ;) Even on 8-CUR I still put 'keep state' and 'flags S/SA' in my pf rules. They look incomplete without them, and I even get stuck reading rulesets when they're not there. It's like your mind catches a spelling error when reading something really fast, and you have to force your eyes to backtrack and find the error. Sick, innit.
 
Anyway..., to sumarize.
Looks like root servers are blocking me from slaving them.
And a fact is, that I used, to successfully do that before.
And after 3 days, stopped to work: failed to connect: timed out

There is no panacea? Right?
 
And after 3 days, stopped to work: failed to connect: timed out
Click to expand...
No root server never does that, otherwise it will be a disaster. . server will keep track of example.com and example.com will have autherative name servers which will also block your request. May be you were using caching server
 
Just set up a caching dns server and be done. There really is no benefit in slaving the root servers.
 
I'll just point a fact then, as I am new to DNS:
Code: 
zone "." {
        type slave;
        file "slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "arpa" {
        type slave;
        file "slave/arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "in-addr.arpa" {
        type slave;
        file "slave/in-addr.arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
}

resulted in this files:

Code: 
/var/named/etc/namedb/slave/arpa.slave
/var/named/etc/namedb/slave/in-addr.arpa.slave
/var/named/etc/namedb/slave/root.slave

After few days I was forced to replace above config with:
Code: 
zone "." {type hint; file "named root"; };
 
I know this thread is long dead, however adding this here to aid any Googlers stumbling onto this page, slaving on a busy name-server is an advantage in reduced load and faster query response. ICANN have a policy on this, and provide two servers you can slave from. Refer to their website:

http://dns.icann.org/services/axfr/

I don't think you will see any measurable difference between slaving on a server that does relatively few queries, and in this case simply caching is probaly going to make for a simpler config file.
 
You must log in or register to reply here.
Back
Top