Why would I be getting IXFR and AXFR transfer denied on my DNS server?

Posted by danielj on Server Fault See other posts from Server Fault or by danielj
Published on 2011-03-18T19:11:46Z Indexed on 2011/03/19 0:11 UTC
Read the original article Hit count: 523

Filed under:

dns

|

bind

|

nameserver

From everything I've researched and tried, it appears that my named.conf is configured correctly, including the allow-transfer section.

Here is a sample of the errors. It is only happening with a couple of my secondary servers, but it is happening for every zone for those servers that are failing. One of the servers is attempting IXFR, the other AXFR. The result is the same:

18-Mar-2011 14:27:51.372 security: error: client 84.234.24.90#59208: zone transfer 'juansgaranton.com/IXFR/IN' denied

18-Mar-2011 14:32:18.015 security: error: client 174.37.196.55#50783: zone transfer 'cheshirecat.net/AXFR/IN' denied

Here is the relevant part of named.conf.

options {
        directory "/etc/bind";
        pid-file "/var/run/named/named.pid";
        files 4096;

        allow-transfer { 140.186.190.103; 84.234.24.90; 207.246.95.34;
                         203.20.52.5; 140.186.190.103; 127.0.0.1; 174.37.196.55; };
};

logging {
channel "bind" {
    file "/var/log/bind.log" versions 3;
    print-time yes;
    print-severity yes;
    print-category yes;
    severity info;
};

category lame-servers { null; };
category "default" { "bind"; };
};

© Server Fault or respective owner

Related posts about dns

Master/Slave DNS setup vs. rsync'ed DNS servers

as seen on Server Fault - Search for 'Server Fault'
We currently have primary and secondary DNS servers on our corporate network. They are setup in a master/slave type setup, where the slave gets its DNS information from the master. I'm trying to figure out what the real advantage is for the master/slave setup instead of just setting up an automated… >>> More
Updating Windows DNS records from a remote windows DNS server

as seen on Server Fault - Search for 'Server Fault'
Does anyone know if it is possible for a windows 2003 DNS server to update the records for a domain so that it contains all the records of a domain of of a remotely based DNS server? Im almost certain that doesn't quite explain the problem so I shall illustrate with an example: We have two offices… >>> More
OpenVPN DNS: VPN DNS stomping local VPN

as seen on Super User - Search for 'Super User'
I've finally noodled with OpenVPN enough to get it working. Even better, I can mount samba drives, ping network machines through the TUN device, etc - it's all great. However, I'm noticing that if I have the directive: push "dhcp-option DNS 10.0.1.1" # Push our local DNS to clients Then some of… >>> More
Random DNS Client Issue with BIND9/Windows Server 2003 DNS

as seen on Stack Overflow - Search for 'Stack Overflow'
Within our office, we have a local server running DNS, for internal related "domains", (e.g. .internal, .office, .lan, .vpn, etc.). Randomly, only the hosts configured with those extensions will stop resolving on the Windows-based workstations. Sometimes it'll work for a couple weeks without issue… >>> More
DNS Tools - DNS and Few of its Concerning Terms and Tools

as seen on Article City - Search for 'Article City'
A DNS or Domain Name System lets you locate computers on a network or the Internet TCP/IP network by domain name. The DNS server sustains a database of domain names or host names along with their cor... [Author: Daisy Osbaldo - Computers and Internet - April 02, 2010] >>> More

Related posts about bind

ubuntu bind9 AppArmor read permission denied (chroot jail)

as seen on Server Fault - Search for 'Server Fault'
I am trying to run bind9 with chroot jail. I followed the steps mentioned at : http://www.howtoforge.com/debian_bind9_master_slave_system I am getting the following errors in my syslog: Jul 27 16:53:49 conf002 named[3988]: starting BIND 9.7.3 -u bind -t /var/lib/named Jul 27 16:53:49 conf002 named[3988]:… >>> More
setting up bind to work with nsupdate (SERVFAIL)

as seen on Server Fault - Search for 'Server Fault'
I'm trying to update my DNS-Server dynamically using nsupdate. Prerequisite I'm using Debian 6 on my DNS-Server and Debian 4 on my client. I created a public/private key pair using: dnssec-keygen -C -a HMAC-MD5 -b 512 -n USER sub.example.com. I then edited my named.conf.local to contain my public… >>> More
BIND DNS Master with Zerigo Slaves - BIND won't update the slave servers

as seen on Server Fault - Search for 'Server Fault'
I've tried to resolve this myself and have looked through Google and Stack but haven't found the answer I'm looking for. Currently on a VPS server I have BIND DNS installed as a MASTER DNS Server. I use Zerigo's DNS service as SLAVE servers for public use: The Master doesn't receive queries - It's… >>> More
How do I prevent directories mounted with 'bind' from appearing on 'Devices' on nautilus?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have these lines in the fstab # binds /media/DataNtfs/Music /home/can/Music none rw,bind /media/DataNtfs/Pictures /home/can/Pictures none rw,bind /media/DataNtfs/Downloads /home/can/Downloads none rw,bind /media/DataNtfs/Documents… >>> More
C++ question: boost::bind receive other boost::bind

as seen on Stack Overflow - Search for 'Stack Overflow'
I want to make this code work properly, what should I do? giving this error on the last line. what am I doing wrong? i know boost::bind need a type but i'm not getting. help class A { public: template <class Handle> void bindA(Handle h) { h(1, 2); } }; class B { public: void… >>> More