BIND "notify" packages over NATted networks possible?

tabbit

6/28/24, 8:19 PM

I got a very specific issue: We got two DNS servers with networks being NATted to each other. Example: DNS master has 192.168.1.1 and it's NATted to another subnet 192.168.2.x using the gateway 192.168.1.254 After updating DNS entries on the DNS master, my DNS slave on 192.168.2.1 receives a notification package from the master, but the notification package seems to come from the NATted IP 192.168.1.254 - due to this, the slave tries to update its DNS database from the wrong address, it always shows:

named[]: client @0x7ff89c02a170 192.168.1.254#59273: received notify for zone 'xxx.local'
named[]: zone xxx.local/IN: refused notify from non-master: 192.168.1.254#59273

Adding the 192.168.1.254 as "allow-notify" on the slave does not work as well - it sticks in a "refresh" state, thus not updating:

named[]: client @0x7fb7d0024440 192.168.1.254#39318: received notify for zone 'xxx.local'
named[]: zone xxx.local/IN: notify from 192.168.1.54#39318: serial 2023062701: refresh in progress, refresh check queued

I assume this is due to the fact that the DNS slave tries to update its database from the server with the NATted IP from which it seemed to get the "notify" package, not from the original DNS server's IP.

Manually running rndc retransfer xxx.local on the slave does work as this contacts the original server 192.168.1.1.

Is there any way to tell the slave to contact the original DNS server's IP upon receiving a notification package from the NATted address?

I already tried "notification-source", "transfer-source" and other settings on the master. All settings I did were not successful in trying to tell the slave DNS to contact the master DNS directly for the update.

1 + 3

domain-name-system

configuration

nat

bind

user1686

6/29/24, 8:07 AM

Why _are_ the networks NATed to each other in the first place? What's the purpose of having NAT in the middle of your LAN, in your case?

symcbean

6/29/24, 12:28 PM

it's not uncommon to have nmeservers spread across availability zones / datacentres

user1686

6/29/24, 2:02 PM

Sure, but that doesn't imply the need for NAT, does it? I don't see why the packets can't be routed without any address translation.

Score:0

Server

symcbean

6/29/24, 12:34 PM

In bind you define what hosts the master node wil send transfers to (allow-transfer) and on the slave, you tell it to ask for transfers. When a node asks for a transfer the other node starts a new TCP connection to the first to transfer the data using the address it received the transfer request from (if it is listed in the all-transfers ACL).

I don't believe there is a way to configure Bind to start a transfer to an address which didn't request it.

The easiest way to resolve your issue would be to use a VPN between the two nodes. Specifically a VPN which assigns IP addresses - a ssh or SSL tunnel won't do.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: BIND "notify" packages over NATted networks possible?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.