Refused notify from non-master



  • I'm running several Bind DNS severs behind pfSense which are configured via ispConfig.

    In pfSense I do not have "DNS Forwader" or "DNS Resolver" enabled.

    For every domain in the log file I have entries like this:

    client 192.168.1.2#59556: received notify for zone 'example.com'
    zone example.com/IN: refused notify from non-master: 192.168.1.2#59556

    The ip address 192.168.1.2 is the DMZ interface address.

    I do not understand why I'm receiving a "notify" for every zone from the DMZ interface and hoping someone can give me some insight as to what or why this is happening?

    Thanks


  • LAYER 8 Global Moderator

    You mean you have the servers setup with this https://www.ispconfig.org/

    And your using this to manage the bind running on them?

    So what your saying is you don't have any idea how they are actually configured..  Do you have bind running on pfsense?  And your trying run these other binds as slave to the zones you have setup on bind on pfsense?



  • @johnpoz:

    So what your saying is you don't have any idea how they are actually configured..  Do you have bind running on pfsense?  And your trying run these other binds as slave to the zones you have setup on bind on pfsense?

    Do me the favor of properly reading the question before putting  your condescending hat on.

    I'm running 2 public bind servers (primary and slave) on the DMZ interface of pfSense.
    My DNS and DNSSEC function perfectly for all domains.

    The Bind log files on the slave are showing the above mentioned entries.

    Since there is nothing in the zone files or bind configuration that refers to the pfSenses DMZ ip address I'm stumped as to where this "notify" is being initiated.
    Thought maybe it has something to with pfSence which is why the question is being asked here.


  • LAYER 8 Global Moderator

    I did read your post with the shiny RED lettering even..

    I'm running several Bind DNS severs behind pfSense which are configured via ispConfig.

    Unless your running bind on pfsense, it wouldn't send a notify anywhere.  So lets look at the error.. Clearly your slave thinks it got a notify from what you believe is the pfsense dmz interface IP… 2 is uncommon choice for a routers interface.. 1 or 254 are more common.  But if this is the case - are you doing source natting?  Are you doing any sort of nat reflection?

    Even if the traffic came from outside pfsense into your dmz it shouldn't have the IP address of your dmz interface unless you were doing source natting.

    Sorry but shiny red lettering bolded, and just posting you configure your bind with ispconfig vs just actually configuring them doesn't scream you know what is going on now does it..

    Is that the exact error example.com - or are you trying to obfuscate one of your actual domains?  How about some details... Are you actually getting notifies from that master that work?

    "For every domain in the log file I have entries like this:"

    So then example.com is just an obfuscation of all your domains??  Not really sure since no actual info to go off of like actual configuration of a zone file.  Any info when you get those log entries.. Only when there is suppose to be a valid notify.. Every 5 minutes - some random time? etc. etc.. could go on an on with the information that is missing that would be useful in trying to help you.  Like maybe what version of bind your running..

    If you are doing any sort of source natting on your inbound into your dmz network... Then yeah I would expect to see this all the time from bots probing to your dns to the public, etc. This is a simple dns attack, where you send notify to slaves... So they will do a zone transfer against the master, etc.  So are you seeing a flood of these?  Are you seeing other IPs, and you just notice the .2 one because that is your pfsense IP address?



  • Not resolved yet.

    Any one else have any thoughts.
    Thanks


  • LAYER 8 Global Moderator

    Sure they will be huge amount of help with all the info given… <rolleyes>Good luck..</rolleyes>


  • Galactic Empire

    @ITI:

    Do me the favor of properly reading the question before putting  your condescending hat on.

    Do us all a favor and be nice to those who are trying to help you. This is also a warning.



  • @ivor:

    @ITI:

    Do me the favor of properly reading the question before putting  your condescending hat on.

    Do us all a favor and be nice to those who are trying to help you. This is also a warning.

    You may be right and I shouldn't have taken offense to his comment
    So what your saying is you don't have any idea how they are actually configured.

    Hopefully he'll also be more thought full in his answers and ask questions in a more appropriate manner.


  • LAYER 8 Global Moderator

    Your using a gui to configure your bind… That sure suggests you don't actually know how its configured.. That was my point...

    Are you actually going to post some info, answer my questions? You do understand that telling the slave that there is updates on the master he needs to go get is an attack vector right... Your servers are open to the public..  Your not actually configuring bind.. Your running master slave for domain(s) on the same network...  This just doesn't scream bind/dns guru to me sorry..  But I can not help you without info..

    If your not running any sort of NS on pfsense, how could it be sending you notify from its IP..  Come on think about that for a couple of seconds..

    Not my problem if you read into that some snide remark in that simple question.. Whatever - good luck...



  • This thread is dead and as you can see not very informative.

    I don't believe the issue is with pfSense anyway but thought I would ask to see if anyone had ever seen this odd behavior.

    Thanks for reading.


  • LAYER 8 Global Moderator

    Have seen that specific error all the time.. Normally its configuration problem with the slave not accepting the notify..  If your seeing a lot of it, and your not actually making changes on the master.. And IPs are not really your master - then it could be some lame attack attempt..

    Without a clue to your actual configuration..  for all we know you setup your notify to send to your public IP to be nat reflected and your source natting?

    Without anything to work with - its just all blind guessing.


Log in to reply