I try to integrate Hetzner DNS into Virtualmin.
I’ve setup an secondary DNS server for the given domain and got this advice after it was successfully finished at the Hetzner-Backend:
Form the Provider, I got this result from logs for the requests
#----##----##----##----##----##----##----##----##----#
Dec 10 12:19:04 : notify for easyfit-app.de. from 195.201.123.120 serial 1638891162
Dec 10 12:19:04 : xfrd: zone easyfit-app.de received error code REFUSED from 195.201.123.120
Dec 10 12:19:04 : notify for easyfit-app.eu. from 195.201.123.120 serial 1638891162
Dec 10 12:19:04 : xfrd: zone easyfit-app.eu received error code REFUSED from 195.201.123.120
#----##----##----##----##----##----##----##----##----#
I’ve also tried to fully shutdown the firewall, so the error appears anyway. So the issue must be on another place. Any suggestion how to debug this?
But you need to add it to the individual zone also, from Webmin → Servers → Bind → select the zone → Edit zone options → and add the Hetzner IPs in the “Allow transfers from” and “Also notify slaves”.
After saving this, click “Apply zone” and Apply configuration" in the top right corner.
Follow /var/log/syslog using “tail -f /var/log/syslog|grep named” for making sure that the transfers are initiated.
The IP-Lookup shows, that 81.91.173.169 is from DENIC (german domain-registrar agency)
BTW:
I’d also found, that there are some permission-errors in the logfile… doesn’t the group-permission here have to be bind and the same in /var/cache/bind/ (where they all root:root)?!:
I’d did: chown root:bind /etc/bind/rndc.key and this permission error is gone. I leave the other ones on root:root, because I’m not sure. But if you think it’s save to do, then I’ll change it.
Yes, the “Allow queries from” should be empty, ie. set to Default.
Like you’ve shown in your initial screenshot you will ONLY allow those IPs to query the server, which we don’t want.
Does this point us to an issue?
That’s the only request which is reported in the logs while trying to setup this domain on registrar-side.
Do I need to add this IP to the allowed-list?
I wonder a if my VM-Bind-Server is the master, shouldn’t he allow ANY request?!
Ok, I’ve found that there also was in BIND > Zone-Defaults a setting for “Allow queries from…” I also removed anything out there, and set it back to “default”.
Then I’ve triggered the NS-Change at my registrar again, and got another error-message (per Email, not in the bind-logs)… which seems to be a step forward :
Unfortunately we were not able to process your request.
109 Retry value out of range (expected, found) ([900..28800], 600)
So I have to ask my domain-registrar what this means, but I think, at least you have helped me solve this. Thanks a lot
Can you help me to conclude the results (this might also help other ones)?
So what I need to do, to AXFR an external secondary DNS (in my case on Hetzner) is following:
Webmin > Bind DNS Server:
Zone Defaults: Set Allow transfers from.. and Also notify slaves.. to listet and enter the IP’s of secondary NS’s
Other DNS Servers: Set the secondary-ns-server IP’s there
(if not working), check single Zone-File of the given Domain > Edit Zone Options and make sure, Allow queries from... is empty.
Don’t miss to reload or reboot BIND (upper right corner in Webmin, BIND-Area)
If I understand in right way, default for Allow queries from is set to “any”, but if you set one, it’s restricted.