Why would I be getting IXFR and AXFR transfer denied on my DNS server?

domain-name-system bind nameserver
7,977

Solution 1

Check your firewall to make sure you have port 53/tcp open from your secondary servers. If the zone is larger than 512 bytes the transfer needs to go across TCP versus UDP.

Solution 2

I know this is old and already answered, but I wanted to throw in another option that hit me.

Same error, but was caused by the local permissions on the filesystem. (technically I had forgotten to give it the correct path, so it was trying to write to a directory it had no access to). So if you see an error like this check the file stanza in your named.conf for the zone in question.

example:

zone "example.net" {
  type slave;
  file "slave/example.net.db";
  masters {
     172.168.19.234;
  };
};
Share:
7,977

Related videos on Youtube

danielj
Author by

danielj

Updated on September 17, 2022

Comments

  • danielj
    danielj almost 2 years

    From everything I've researched and tried, it appears that my named.conf is configured correctly, including the allow-transfer section.

    EDIT I just took out the allow-transfer block and restarted bind. This should now allow anyone to do a transfer. The ones that could before still can, but the two servers that had problems before are still being denied! EDIT

    Here is a sample of the errors. It is only happening with a couple of my secondary servers, but it is happening for every zone for those servers that are failing. One of the servers is attempting IXFR, the other AXFR. The result is the same:

    18-Mar-2011 14:27:51.372 security: error: client 84.234.24.90#59208: zone transfer 'juansgaranton.com/IXFR/IN' denied

    18-Mar-2011 14:32:18.015 security: error: client 174.37.196.55#50783: zone transfer 'cheshirecat.net/AXFR/IN' denied

    Here is the relevant part of named.conf. 

    options {
        directory "/etc/bind";
        pid-file "/var/run/named/named.pid";
        files 4096;

        allow-transfer { 140.186.190.103; 84.234.24.90; 207.246.95.34;
                         203.20.52.5; 140.186.190.103; 127.0.0.1; 174.37.196.55; };
};

logging {
channel "bind" {
    file "/var/log/bind.log" versions 3;
    print-time yes;
    print-severity yes;
    print-category yes;
    severity info;
};

category lame-servers { null; };
category "default" { "bind"; };
};
    • danielj
      danielj over 13 years
      Nope, just the one global.
    • Zoredache
      Zoredache over 13 years
      Have you tried briefly adding an allow-transfer setting into one of your zones?
    • danielj
      danielj over 13 years
      At your suggestion, I just tried it. No difference.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configuring Bind for serving as nameserver for multiple domains
Internal DNS server but can't access externally hosted website
Setting up nameserver - bind [FreeBSD]
DNS resolution problems; dig SERVFAIL error
Setting up a DNS name server for a mass virtual host with Bind9
Reverse DNS doesn't work - NXDOMAIN
DNS Problems (NIGHTMARES!) with BIND and Virtualmin
BIND Slave Receiving Notify From Other Slave?
Bind9 cannot start, rndc connect failed
BIND dns high performance caching