How to allow AXFR for Hetzner DNS?

Virtualmin
1
SYSTEM INFORMATION
OS type and version: ubuntu 20.04
Webmin version: 1.984
Virtualmin version: 6.17

I try to integrate Hetzner DNS into Virtualmin.
I’ve setup an secondary DNS server for the given domain and got this advice after it was successfully finished at the Hetzner-Backend:

image
image1106×483 72.1 KB

Form the Provider, I got this result from logs for the requests

#----##----##----##----##----##----##----##----##----#
Dec 10 12:19:04 : notify for easyfit-app.de. from 195.201.123.120 serial 1638891162                                                                                                                  
Dec 10 12:19:04 : xfrd: zone easyfit-app.de received error code REFUSED from 195.201.123.120                                                                                                         
Dec 10 12:19:04 : notify for easyfit-app.eu. from 195.201.123.120 serial 1638891162                                                                                                                  
Dec 10 12:19:04 : xfrd: zone easyfit-app.eu received error code REFUSED from 195.201.123.120
#----##----##----##----##----##----##----##----##----#

I’ve also tried to fully shutdown the firewall, so the error appears anyway. So the issue must be on another place. Any suggestion how to debug this?

2

In Webmin I have setup bind in this way:

image
image1707×302 58 KB

And also in “Zone-Defaults”:

image
image1342×830 126 KB

3

Don’t touch “Allow queries from…”.

But you need to add it to the individual zone also, from Webmin → Servers → Bind → select the zone → Edit zone options → and add the Hetzner IPs in the “Allow transfers from” and “Also notify slaves”.
After saving this, click “Apply zone” and Apply configuration" in the top right corner.

Follow /var/log/syslog using “tail -f /var/log/syslog|grep named” for making sure that the transfers are initiated.

4

@toreskev thanks for your answer.
What do you mean by Don’t touch “Allow queries from…”..
You mean I should leave this field empty, right?!

I’ve did like you suggested, and got following:

Jan  8 16:22:46 myServer named[931]: message repeated 3 times: [ client @0x7f208405c0d0 180.230.34.147#27015 (sl): query (cache) 'sl/ANY/IN' denied]
Jan  8 16:22:56 myServer named[931]: received SIGHUP signal to reload zones
Jan  8 16:22:56 myServer named[931]: loading configuration from '/etc/bind/named.conf'
Jan  8 16:22:56 myServer named[931]: reading built-in trust anchors from file '/etc/bind/bind.keys'
Jan  8 16:22:56 myServer named[931]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Jan  8 16:22:56 myServer named[931]: using default UDP/IPv4 port range: [32768, 60999]
Jan  8 16:22:56 myServer named[931]: using default UDP/IPv6 port range: [32768, 60999]
Jan  8 16:22:56 myServer named[931]: sizing zone task pool based on 26 zones
Jan  8 16:22:56 myServer named[931]: zone 'domainname.de' allows unsigned updates from remote hosts, which is insecure
Jan  8 16:22:56 myServer named[931]: none:100: 'max-cache-size 90%' - setting to 3452MB (out of 3835MB)
Jan  8 16:22:56 myServer named[931]: obtaining root key for view _default from '/etc/bind/bind.keys'

Jan  8 16:23:18 myServer named[931]: client @0x7f208405c0d0 145.102.6.85#25303 (domainname.com): query (cache) 'domainname.com/SOA/IN' denied
Jan  8 16:23:18 myServer named[931]: client @0x7f208807e4a0 145.102.6.85#9512 (domainname.com): query (cache) 'domainname.com/SOA/IN' denied
Jan  8 16:23:18 myServer named[931]: client @0x7f208405c0d0 145.102.6.85#51877 (domainname.com): query (cache) 'domainname.com/SOA/IN' denied
Jan  8 16:23:18 myServer named[931]: client @0x7f208405c0d0 145.102.6.85#63305 (domainname.com): query (cache) 'domainname.com/SOA/IN' denied
Jan  8 16:23:18 myServer named[931]: client @0x7f208405c0d0 145.102.6.85#49856 (domainname.com): query (cache) 'domainname.com/SOA/IN' denied

Then I’ve triggerd the setting for the domain again at my domain-registrar, and got this in the logs:

Jan  8 16:41:42 xst01 named[3083163]: client @0x7f39dc01b4b0 81.91.173.169#57588 (domainname.de): query 'domainname.de/SOA/IN' denied

The IP-Lookup shows, that 81.91.173.169 is from DENIC (german domain-registrar agency)

BTW:
I’d also found, that there are some permission-errors in the logfile… doesn’t the group-permission here have to be bind and the same in /var/cache/bind/ (where they all root:root)?!:
image

I’d did: chown root:bind /etc/bind/rndc.key and this permission error is gone. I leave the other ones on root:root, because I’m not sure. But if you think it’s save to do, then I’ll change it.

5

Yes, the “Allow queries from” should be empty, ie. set to Default.
Like you’ve shown in your initial screenshot you will ONLY allow those IPs to query the server, which we don’t want.

Those permissions are fine and as they should be.

6

Ok, but what is the issue with the request from DENIC:

Jan  8 16:41:42 xst01 named[3083163]: client @0x7f39dc01b4b0 81.91.173.169#57588 (domainname.de): query 'domainname.de/SOA/IN' denied

Does this point us to an issue?
That’s the only request which is reported in the logs while trying to setup this domain on registrar-side.
Do I need to add this IP to the allowed-list?

I wonder a if my VM-Bind-Server is the master, shouldn’t he allow ANY request?!

7

Now you have removed the previous “allow queries from” and added all the things mentioned above in the zone specific configuration?

ANY requests should be allowed only for those domains actually hosted as authoritive as far as I remember.

8

Ok, I’ve found that there also was in BIND > Zone-Defaults a setting for “Allow queries from…” I also removed anything out there, and set it back to “default”.

Now I have this setting, and restarted bind:

image
image1338×826 121 KB

Then I’ve triggered the NS-Change at my registrar again, and got another error-message (per Email, not in the bind-logs)… which seems to be a step forward :slight_smile: :

Unfortunately we were not able to process your request.
 109 Retry value out of range (expected, found) ([900..28800], 600)

So I have to ask my domain-registrar what this means, but I think, at least you have helped me solve this. Thanks a lot :trophy:

Can you help me to conclude the results (this might also help other ones)?
So what I need to do, to AXFR an external secondary DNS (in my case on Hetzner) is following:

Webmin > Bind DNS Server:

  1. Zone Defaults: Set Allow transfers from.. and Also notify slaves.. to listet and enter the IP’s of secondary NS’s
  2. Other DNS Servers: Set the secondary-ns-server IP’s there
  3. (if not working), check single Zone-File of the given Domain > Edit Zone Options and make sure, Allow queries from... is empty.
  4. Don’t miss to reload or reboot BIND (upper right corner in Webmin, BIND-Area)

If I understand in right way, default for Allow queries from is set to “any”, but if you set one, it’s restricted.

@toreskev Is this right so far?

9

Yes, this is the process I’ve been doing (I was also using Hetzner until recently) so this should work well :slight_smile:

I would assume this is correct. I’ve never touched this setting though so take this with a grain of salt :slight_smile:

10

Ok, figured out, that this Domain-Registrar error depend on another Bind-Config you have to make in Webmin:

image
image1327×382 56.1 KB

This must at least be 900 (for my Domain-Registrar). Might be other value for other registrars.

1 Like
11

Huh, never heard of this before, but I have heard that the .de registry has some oddities (like the .no registry).
Glad you figured it out :slight_smile:

12

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.