Home / server / Questions / 692898
Accepted
TCB13
Asked: 2015-05-19 16:41:53 +0800 CST

BIND9: Send Notifications on Specific IP Address

  • 772

I've been trying to implement a bind master->slave setup between two machines, but I've a problem regarding the IP address BIND used on the master to notify my slave machine.

Here is my setup:

Master: master.site.com - 10.0.0.2
Slave: slave.site.com - 10.0.0.10

The Master has a authoritative zone for site.com and it's configured to notify all slaves when the zone is changed. The zone is working properly. It replies fine to queries and dig @10.0.0.2 -t SOA site.com

So, on the master I've this named.conf.options:

options {
    directory "/var/cache/bind";

    dnssec-validation auto;
    auth-nxdomain no;

    listen-on { 10.0.0.2; };
    listen-on-v6 { any; };
    allow-query     { any; };
    recursion yes;
    allow-recursion { localhost; };
    allow-notify { localhost; };
    allow-transfer { localhost; 10.0.0.10; };
    version none;

    notify yes;
    also-notify { 10.0.0.10; };

};

On the slave:

options {
    directory "/var/cache/bind";

    dnssec-validation auto;
    auth-nxdomain no;

    listen-on { 10.0.0.10; };
    listen-on-v6 { any; };
    allow-query     { any; };
    recursion yes;
    allow-recursion { localhost; };
    allow-notify { localhost; 10.0.0.2; };
    allow-transfer { localhost; 10.0.0.2; };
    version none;
};

To start, notifications doesn't seem to work, using tcpdump on the slave machine I got this message:

02:32:50.269377 IP 10.0.0.1.15271 > 10.0.0.10.53: 64103 notify [b2&3=0x2400] [1a] SOA? site.com. (85)
02:32:50.269662 IP 10.0.0.10.53 > 10.0.0.1.15271: 64103 notify Refused- 0/0/0 (27)

As you can see although master is set to listen on 10.0.0.2 when sending notifications it is sending them using it's main IP address 10.0.0.1 and logically my slave refused the notification...

Why isn't the master not sending the notifications over 10.0.0.2? Is there any config where I can force that? The machine owns 3 IP's, one for it's website, another for email and another for DNS... I need to make it ONLY use 10.0.0.2 for DNS, but apparently listen-on doesn't seem to work with outgoing traffic...

How can I fix this?

domain-name-system

1 Answers

  1. Best Answer

    You are looking for the notify-source option. From the BIND ARM:

    notify-source

    notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.

    As for why BIND behaves this way, it is fairly typical of most applications. The source IP of locally initiated traffic defaults to the primary IP of the interface associated with the route. On a Linux system, you can view the source IP associated with each route by typing ip route show and looking at the values following the src keyword.

    • 5