Bind in DMZ does not transfer zones from a master



  • In the DMZ there is a server with BIND configured as Slave.
    In this I have configured the zones, but after hours there is still no update from the DNS Master.
    Testing a zone (from Webmin) returns this error to me.

    Testing transfer of slave zone from IP-MASTER ..
    .. from IP-MASTER: Failed : ;; Connection to IP-MASTER#53(IP-MASTER) for DOMAIN-NAME failed: timed out. ;; Connection to IP-MASTER#53(IP-MASTER) for DOMAIN-NAME failed: timed out. ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> IN AXFR DOMAIN-NAME @IP-MASTER;; global options: +cmd ;; connection timed out; no servers could be reached ;; Connection to IP-MASTER#53(IP-MASTER) for DOMAIN-NAME failed: timed out.

    It appears that the two servers are unable to communicate with each other, but the Master is already able to communicate with another slave activated on a VPS on the Internet.



  • Hi,

    The answer is : look at the DMZ firewall rules.
    The slave bind server can't contact the master domain server : it can't get "out".
    Contact the guy that set's up the pfSense firewall rules on DMZ an explain him what should be addresses/ports/protocols should be opened.



  • @Gertjan said in Bind in DMZ does not transfer zones from a master:

    Hi,

    The answer is : look at the DMZ firewall rules.
    The slave bind server can't contact the master domain server : it can't get "out".
    Contact the guy that set's up the pfSense firewall rules on DMZ an explain him what should be addresses/ports/protocols should be opened.

    I am setting up my first firewall with pfSense and I am doing it step by step to learn and I am doing it with some difficulty.

    These are the WAN and DMZ rules (with two NAT).
    In WAN perhaps the two NATs are enough and the two previous rules are useless and redundant.

    alt text

    alt text



  • The NAT rules :
    Rule 4 and 6 seem to be the same for me. I'm not sure, but the master bind servers notifies slave servers if a zone needs to be updated. That traffic goes over UDP (TCP ?) and use port 53 (destination). The rule number 6 is actually used (656 bytes).

    The firewall rules on DMZ :
    The first DNS rules looks fine to me.
    web traffic (destination ports 80 and 443 ?) can go out.
    NTP should work.
    I don't understand your ICMP rule - it isn't used - no traffic matches.

    To debug your issue : create a pass-all rule on the DMZ interface on the 5th place, and see if bind traffic starts to work.

    No floating rules ?

    @WhiteTiger-IT said in Bind in DMZ does not transfer zones from a master:

    to learn and I am doing it with some difficulty.

    Your on the good path !!



  • @Gertjan

    In the end I found the two problems.
    The Master server did not resolve the names, I don't understand why since nobody has touched it for months.
    But even after fixing it, the Slave in the DMZ did not update.

    I had to go to the ISP portal which sold me the domains to also add the new name server for each domain.
    Mine was an intuition, I didn't really understand the reason for this.
    However now the slave updates.

    I don't have floating rules, I don't even know what it is and how and when to use them.

    The biggest problem I am facing is troubleshooting.
    Four times I nailed myself for days around pfSense and then the issues were somewhere else: on the router, on the ISP, on the remote server.
    I need a guide to read that will help me waste less time in the future.

    For the moment, many thanks


Log in to reply