Why would I be getting IXFR and AXFR transfer denied on my DNS server?
Solution 1
Check your firewall to make sure you have port 53/tcp open from your secondary servers. If the zone is larger than 512 bytes the transfer needs to go across TCP versus UDP.
Solution 2
I know this is old and already answered, but I wanted to throw in another option that hit me.
Same error, but was caused by the local permissions on the filesystem. (technically I had forgotten to give it the correct path, so it was trying to write to a directory it had no access to). So if you see an error like this check the file stanza in your named.conf for the zone in question.
example:
zone "example.net" {
type slave;
file "slave/example.net.db";
masters {
172.168.19.234;
};
};
Related videos on Youtube
danielj
Updated on September 17, 2022Comments
-
danielj almost 2 years
From everything I've researched and tried, it appears that my named.conf is configured correctly, including the allow-transfer section.
EDIT I just took out the allow-transfer block and restarted bind. This should now allow anyone to do a transfer. The ones that could before still can, but the two servers that had problems before are still being denied! EDIT
Here is a sample of the errors. It is only happening with a couple of my secondary servers, but it is happening for every zone for those servers that are failing. One of the servers is attempting IXFR, the other AXFR. The result is the same:
18-Mar-2011 14:27:51.372 security: error: client 84.234.24.90#59208: zone transfer 'juansgaranton.com/IXFR/IN' denied
18-Mar-2011 14:32:18.015 security: error: client 174.37.196.55#50783: zone transfer 'cheshirecat.net/AXFR/IN' denied
Here is the relevant part of named.conf.
options { directory "/etc/bind"; pid-file "/var/run/named/named.pid"; files 4096; allow-transfer { 140.186.190.103; 84.234.24.90; 207.246.95.34; 203.20.52.5; 140.186.190.103; 127.0.0.1; 174.37.196.55; }; }; logging { channel "bind" { file "/var/log/bind.log" versions 3; print-time yes; print-severity yes; print-category yes; severity info; }; category lame-servers { null; }; category "default" { "bind"; }; };
-
danielj over 13 yearsNope, just the one global.
-
Zoredache over 13 yearsHave you tried briefly adding an allow-transfer setting into one of your zones?
-
danielj over 13 yearsAt your suggestion, I just tried it. No difference.
-