I like to consider myself a newcomer in DNS/BIND,and it goes to show that you can learn something new everyday. In between my work,i was asked to setup my secondary DNS servers for both 'ar*s.net' and 'calpin*****.net' and other personal domains of the company in the way that I always have.
Scenario:
There was a gateway machine in CentOS which was acting also as the Primary DNS of the company(Set with both Public and Private IP's).The requirement was to set up a secondary DNS in another machine which will recieve updated of all domains from the primary so that it can act as a fallback server.
But I noticed that the secondary was consistently getting the following error:
transfer of 'ar*s'/IN' from#53: failed while receiving responses: permission denied
From this error I assumed that my master server was not setup correctly to allow transfers from the secondary. This is normally done with the following configuration option in the /etc/named.conf file:
allow-transfer { ; };
After I had checked this configuration on the master to make sure it was there and that I had not done something like typed the IP address in error. On the surface everything seemed to be perfectly setup, but I was still getting the error.Eventually I realized that the error was not a permission denied error from the remote master server, but from the local DNS server. The error turned out to be a file permission error in the default layout of BIND on a CentOS system.
Around the time of Fedora Core 3(Similary in CentOS 4) the default configuration for BIND is setup to chroot the daemon into it's own filesystem space to help avoid and contain any security breaches. This is a great feature.
Option 1
To fix your permission denied error on your secondary or slave DNS server all you need to do is change the permissions of your data directory to include group write permissions. On my system that directory is set as /var/named/sec. You can do this with a simple:
# chmod 775 /var/named/sec
or # chmod g+w /var/named/It should be noted that you will only run into this error on a secondary or slave DNS server if you have the secondary store it's slave information in a file. This happens when a slave is configured like this:
zone "example.com" IN {
type slave;
file "secondary-example.com";
masters { 192.168.0.1; };
};Option 2:
Another option, that in many ways is more correct on a Fedora Core system, is to store your secondary zone files in the slaves/ directory. This directory is in /var/named/chroot/var/named/ and already has the proper permissions for you. So instead of file "secondary-example.com"; you would simply say: file "slaves/secondary-example.com";.
Error Checking:
For checking the errors during the tryout of these options, just restart named daemon like this:
#/etc/init.d/named restart
(note: the shutdown of named my fail, since it may not be running after the initial install)
4. Let's look in the /var/log/messages file and see if the named daemon started without error. Use the command:
#less /var/log/messages
Hopefully this shows you how to resolve this particular error. These suggestions have been tested on Fedora Core and CentOS alike.
Here are some other good DNS guides:
http://ldp.hughesjr.com/HOWTO/DNS-HOWTO.html
http://linux.maruhn.com/sec/dns-howto.html
DNS Rerource Directory : http://www.dns.net/dnsrd/
Powered by ScribeFire.
