HA Config BIND DNS sync setup problem



  • Hy everyone!

    I have a made a HA cfg with 1 public ip, and everythings looking good, only the plus BIND DNS i didnt know how to sync.
    In the doc i didint find anything usefull.

    Sometime i got a random error:
    A communications error occurred while attempting to call XMLRPC method host_firmware_version:

    But this is for the dns resolve i gues from the logs.

    Could someone help the sync with the BIND DNS?
    Now i set up the option to sync the cfg system backup server but nothing has been synced.

    Thanks for the help!

    bolvar



  • @bolvar

    Nobody has a bind dns sync setup to help? :/



  • I have the same problem...

    Anybody?

    -APK



  • @andrewK

    I have solved the problem...

    You need to set up a few thing.
    First in the bind dns under views you need to set up the your ha port at match-clients,
    and in the custom views you have to allow the ip of the second node.
    After that in the zone you need to allow to transfer for the ha port to.
    And in the sync you need to select to sync to backup server.

    And now it is working for me.

    bolvar



  • @bolvar

    But not almost solved the problem.
    I have made a factory reset on my secondary node, the bind config sync workes, but when i made a change on the HA and check with az mxtoolbox the dns check it fails for my dns server. I saw in the logs that the query comes in and the answere goes out but it says that my dns not responding.

    Anybody has a solution for this?

    bolvar


  • LAYER 8

    nothing in the bind log?



  • @kiokoman

    Today i will do a swap again from the primary server, and look around it but i think yesterday there was nothing special in the logs.

    bolvar



  • @kiokoman

    Sadly nothing in the logs.I saw in the firewall logs that i get a dns query from outside but it gets an answere.


  • LAYER 8

    i usually use dig to test my bind9, i don't have HA though
    try with https://www.digwebinterface.com/
    put your host and your ns ip (specify myself:)
    and see if it's answering or not
    something like this
    Immagine.jpg



  • @kiokoman

    Thanks but i cannot se how can this help me :D
    An mxtoolbox is the same, and the problem is when i change to the secondary node, my dns is not respondig, cant test with this tool. My backup name server runing only.



  • Here is the log:

    Bind_DNS.jpg

    When i test from mxtoolbox i get a pass, but on the web page it says unreacheble.

    Nobody has any ide what am i doing wrong? :/



  • Nobody expert on this problem?
    The question is that im thinking on that now i have the ha cfg with one master server and in another site i have a slave cfg-ed.
    In this case in the HA cfg i need to setup my backup node bind dns to master?



  • I think i found the problem.

    In slave state the zone file didnt get generated.
    If i sate the state on my secondary node to master to zone file get generated, and mxtoolbox query workes.

    Someone can give advise about this?


  • LAYER 8

    you should check allow-transfer / allow-notify / allow-update statement, make a screenshot of your configuration if you can, just hide sensitive information, hard to tell without more info



  • @kiokoman

    Under Bind dns advanced future custom option i have allow notify and update,i need here the allow transfer to?


  • LAYER 8

    idk i don't have bind installed on pfsense, i have a dedicated server for bind9 and to transfer from my master to the slave i have it configured like this:

    server 172.17.0.100 {
            keys {
                    rndc-key;
            };
    };
    
    server  2001:470:b682:ffff:ffff:ffff:ffff:fffe {
            keys {
                    rndc-key;
            };
    };
    ..................
    
    zone "kiokoman.eu.org" {
            type master;
            allow-transfer {151.3.106.211; 2001:470:b4e1:ffff:ffff:ffff:ffff:fffe; 192.168.10.202; 2001:470:26:5dc:ffff:ffff:ffff:fffd;};
            also-notify {151.3.106.211; 2001:470:b4e1:ffff:ffff:ffff:ffff:fffe; 192.168.10.202; 2001:470:26:5dc:ffff:ffff:ffff:fffd;};
            file "/etc/bind/external/pri.kiokoman.eu.org.signed";
            auto-dnssec maintain;
            update-policy local;
            };
    
    

    on one of the slave:

    server 172.17.0.100 {
            keys {
                    rndc-key;
            };
    };
    
    server  2001:470:b682:ffff:ffff:ffff:ffff:fffe {
            keys {
                    rndc-key;
            };
    };
    ...............................
    zone "kiokoman.eu.org" {
            type slave;
            masters {172.17.0.100; 2001:470:b682:ffff:ffff:ffff:ffff:fffe;};
            file "/etc/bind/external/pri.kiokoman.eu.org.signed";
            };
    
    

    under xfer-out.log and xfer-in.log ( channel xfer-in_file / channel xfer-out_file)

    3c81316a0 192.168.10.202#56101/key rndc-key (kiokoman.home): view trusted: transfer of 'kiokoman.home/IN': IXFR ended
    23-Jan-2020 20:13:25.430 client @0x7f53d0141340 192.168.10.202#43941/key rndc-key (2.168.192.IN-ADDR.ARPA): view trusted: transfer of '2.168.192.IN-ADDR.ARPA/IN': IXFR started: TSIG rndc-key (serial 2018046843 -> 2018046844)
    23-Jan-2020 20:13:25.430 client @0x7f53d0141340 192.168.10.202#43941/key rndc-key (2.168.192.IN-ADDR.ARPA): view trusted: transfer of '2.168.192.IN-ADDR.ARPA/IN': IXFR ended
    23-Jan-2020 20:56:05.485 client @0x7f53c81221e0 192.168.10.202#48387/key rndc-key (kiokoman.home): view trusted: transfer of 'kiokoman.home/IN': IXFR started: TSIG rndc-key (serial 2019092987 -> 2019092989)
    23-Jan-2020 20:56:05.485 client @0x7f53c81221e0 192.168.10.202#48387/key rndc-key (kiokoman.home): view trusted: transfer of 'kiokoman.home/IN': IXFR ended
    

    if something go wrong you should check/rise verbosity of that log


Log in to reply