Home / server / Questions / 783935
Accepted
jcoughlin
Asked: 2016-06-15 09:23:15 +0800 CST

BIND Slave Unable to Receive Zone Files--SERVFAIL

  • 772

I've been banging my head against the bind manual and google for a few hours tying to get this figured out, but I'm not sure where I'm screwing up. I built this on a few local VM's, and the slave talked to the master without a problem. The firewall between these two subnets isn't blocking anything. Both VM's have firewalld to accept udp port 53 data with a permanent exception. Any advice would be greatly appreciated. The configuration is setup so that DHCP from two locations would update a master DNS, and then the DNS would populate a DNS slave. I removed some of the default named.conf text for the sake of space (anything not included is most likely default). This all runs on Centos 7.

Errors when starting Named on slave

Jun 14 12:54:07 dns-vm-pa-01 named[26045]: running
Jun 14 12:54:07 dns-vm-pa-01 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: zone 1.0.10.in-addr.arpa/IN: Transfer started.
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: connected using 10.0.1.5#36381
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: failed while receiving responses: SERVFAIL
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.146 secs (0 bytes/sec)
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: zone int.bubbhashramp.com/IN: Transfer started.
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: connected using 10.0.1.5#36067
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: failed while receiving responses: SERVFAIL
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.155 secs (0 bytes/sec)

NetStat Result on Master

udp        0      0 10.0.0.5:53             0.0.0.0:*                           26141/named

Permissions for zone files in /var/named/dynamic/

-rw-r--r--. 1 root named 374 Jun 14 10:43 0.0.10.in-addr.arpa
-rw-r--r--. 1 root named 372 Jun 14 10:04 1.0.10.in-addr.arpa
-rw-r--r--. 1 root named 567 Jun 14 12:31 int.bubbhashramp.com

Dig Reply from Master

dig @10.0.0.5 vmhost-01.int.bubbhashramp.com

; <<>> DiG 9.8.3-P1 <<>> @10.0.0.5 vmhost-01.int.bubbhashramp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;vmhost-01.int.bubbhashramp.com.    IN  A

;; ANSWER SECTION:
vmhost-01.int.bubbhashramp.com. 10800 IN    A   10.0.1.10

;; AUTHORITY SECTION:
int.bubbhashramp.com.   10800   IN  NS  dns-vm-pa-01.int.bubbhashramp.com.
int.bubbhashramp.com.   10800   IN  NS  dns-vm-nh-01.int.bubbhashramp.com.

;; ADDITIONAL SECTION:
dns-vm-nh-01.int.bubbhashramp.com. 10800 IN A   10.0.0.5
dns-vm-pa-01.int.bubbhashramp.com. 10800 IN A   10.0.1.5

;; Query time: 55 msec
;; SERVER: 10.0.0.5#53(10.0.0.5)
;; WHEN: Tue Jun 14 13:05:34 2016
;; MSG SIZE  rcvd: 146

Master Config

key "rndc-key" {
        algorithm hmac-md5;
        secret "bubbgumpkeys";
};

options {
    listen-on port 53 { 10.0.0.5; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    allow-transfer     { 10.0.0.0/16; };
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    forwarders {
        8.8.8.8;
        75.75.75.75;
        8.8.4.4;
    };
};


zone "int.bubbhashramp.com" {
    type master;
    file "dynamic/int.bubbhashramp.com";
    allow-update { key rndc-key; };
};

zone "1.0.10.in-addr.arpa" {
        type master;
        file "dynamic/1.0.10.in-addr.arpa";
        allow-update { key rndc-key; };
};

zone "0.0.10.in-addr.arpa" {
        type master;
        file "dynamic/0.0.10.in-addr.arpa";
        allow-update { key rndc-key; };
};

Slave Config

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    recursion no;
    dnssec-enable yes;
    dnssec-validation yes;
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    forwarders {
        8.8.8.8;
        75.75.75.75;
        8.8.4.4;
    };
};

zone "int.bubbhashramp.com" {
    type slave;
    file "slaves/int.bubbhashramp.com";
    masters { 10.0.0.5; };
};

zone "1.0.10.in-addr.arpa" {
        type slave;
        file "slaves/1.0.10.in-addr.arpa";
        masters { 10.0.0.5; };
};
domain-name-system bind centos7 named-conf

2 Answers

    1. Check the permissions on your BIND directories. BIND directories and files must be owned or at least writable by the BIND user (most likely named).

    2. If your network isn't routing IPv6, remove the IPv6 lines from your config.

    • 0
  2. Best Answer

    Turns out it was DNSMasq on the slave box. It was already bound to the ip and port 53, so named wasn't able to accept return traffic where it was listening. As soon as I disabled the dnsmasq service, it started working.

    • 0