# Named can't transfer slave



## Seeker (Jul 17, 2009)

```
transfer of 'in-addr.arpa/IN' from 192.5.5.241#53: failed to connect: timed out
transfer of 'arpa/IN' from 192.5.5.241#53: failed to connect: timed out
```

Cought in sockstat:

```
bind     named      28675 25 tcp4   A.B.208.173:62150  192.5.5.241:53
```

Just for fun, when I deleted:

```
/var/named/etc/namedb/slave/arpa.slave
/var/named/etc/namedb/slave/in-addr.arpa.slave
/var/named/etc/namedb/slave/root.slave
```

Other hosts conecting through ne can't resolve domain names 

And those files can't be retrieved because upper main problem

Here is a PF's log:

```
18:35:41.587818 IP starforce.biz.56055 > f.root-servers.net.domain: 20657 [1au] SOA? arpa. (33)
18:35:41.634533 IP starforce.biz.62200 > f.root-servers.net.domain: S 2395225049:2395225049(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp[|tcp]>
18:36:08.126510 IP starforce.biz.57940 > f.root-servers.net.domain: 5594 [1au] SOA? . (28)
18:36:08.173358 IP starforce.biz.57596 > f.root-servers.net.domain: S 3446537803:3446537803(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp[|tcp]>
18:37:02.558393 IP starforce.biz.64977 > f.root-servers.net.domain: 10337 [1au][|domain]
```


----------



## SirDice (Jul 17, 2009)

You will need to allow both tcp and udp access to port 53.


----------



## Seeker (Jul 17, 2009)

SirDice said:
			
		

> You will need to allow both tcp and udp access to port 53.



I already have pf rule for that:

```
pass in log inet proto { tcp, udp } from any to ($ext_if) port 53
```


----------



## SirDice (Jul 17, 2009)

Add *keep state* to that line. It also has to be able to respond. Also make sure named is listening on that interface/ip address.


----------



## Seeker (Jul 17, 2009)

sockstat says it is listening on that interface/ip address, both tcp4 and udp4

pfctl -s rules:
pass in log inet proto tcp from any to ($ext_if) port = domain flags S/SA keep state
pass in log inet proto udp from any to ($ext_if) port = domain keep state


----------



## SirDice (Jul 17, 2009)

No need to use flags S/SA, scrub will take care of any weird combination anyway.

Just:

```
pass in log inet proto {tcp,udp} from any to ($ext_if) port 53 keep state
```


----------



## DutchDaemon (Jul 17, 2009)

'keep state' and 'flags S/SA' (tcp) are the default now in pf. If you don't add them they will still show up in [cmd=]pftcl -s rules[/cmd].


----------



## Seeker (Jul 17, 2009)

Ok, anyway...., why I can't get those files.
Have I been blacklisted?


----------



## SirDice (Jul 17, 2009)

What are you trying to archive anyway?


----------



## Seeker (Jul 17, 2009)

I wana be a slave for:

```
zone "." {
        type slave;
        file "slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "arpa" {
        type slave;
        file "slave/arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "in-addr.arpa" {
        type slave;
        file "slave/in-addr.arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
}
```


----------



## SirDice (Jul 17, 2009)

You can't slave the root servers.


----------



## Seeker (Jul 18, 2009)

SirDice said:
			
		

> You can't slave the root servers.



That crazy..., I am not P

Anyway, it did worked before.
Results were this files:

```
/var/named/etc/namedb/slave/arpa.slave
/var/named/etc/namedb/slave/in-addr.arpa.slave
/var/named/etc/namedb/slave/root.slave
```

So PCs connecting through main PC wouldn't have to query root or other DNS server as it is cached there.

That is way, as soon as I deleted those files, they couldn't resolve domains

I needed to disable that feature in order to make them able to resolve domains again


----------



## vivek (Jul 18, 2009)

Hah .. you are abusing root servers. Wait some time when dnssec enabled no one able to to do domain hijacking. If you are good user, set dns caching using djbdns, bind or pdns. This is wrong on many level.


----------



## Seeker (Jul 18, 2009)

LOL!
USRA -ABUSA

I use bind.

As I see it, after this is being done, root servers are being less pestered

I simply don't know why this has stopped working.

Now I've set it to:

```
zone "." {type hint; file "named root"; };
```

But I would really like to slave those zones from root name servers


----------



## dennylin93 (Jul 18, 2009)

DutchDaemon said:
			
		

> 'keep state' and 'flags S/SA' (tcp) are the default now in pf. If you don't add them they will still show up in [cmd=]pftcl -s rules[/cmd].



This is true for RELENG_7 and later.

For RELENG_6 and earlier, the PF version is equivalent to that of OpenBSD 3.7. Since "keep state" and "flags S/SA" were first set to default in OpenBSD 4.1, they still need to be added in /etc/pf.conf.


----------



## aragon (Jul 18, 2009)

Seeker said:
			
		

> As I see it, after this is being done, root servers are being less pestered


Not actually.  DNS caching is more effective for this.  If that weren't the case, everyone would be slaving the root zones, and the root maintainers would be promoting it.


----------



## DutchDaemon (Jul 18, 2009)

dennylin93 said:
			
		

> This is true for RELENG_7 and later.
> 
> For RELENG_6 and earlier, the PF version is equivalent to that of OpenBSD 3.7. Since "keep state" and "flags S/SA" were first set to default in OpenBSD 4.1, they still need to be added in /etc/pf.conf.



I'm not advocating leaving them out in any version  Even on 8-CUR I still put 'keep state' and 'flags S/SA' in my pf rules. They look incomplete without them, and I even get stuck reading rulesets when they're not there. It's like your mind catches a spelling error when reading something really fast, and you have to force your eyes to backtrack and find the error. Sick, innit.


----------



## Seeker (Jul 20, 2009)

Anyway..., to sumarize.
Looks like root servers are blocking me from slaving them.
And a fact is, that I used, to successfully do that before.
And after 3 days, stopped to work: failed to connect: timed out

There is no panacea? Right?


----------



## vivek (Jul 20, 2009)

> And after 3 days, stopped to work: failed to connect: timed out


No root server never does that, otherwise it will be a disaster. . server will keep track of example.com and example.com will have autherative name servers which will also block your request. May be you were using caching server


----------



## SirDice (Jul 20, 2009)

Just set up a caching dns server and be done. There really is no benefit in slaving the root servers.


----------



## Seeker (Jul 20, 2009)

I'll just point a fact then, as I am new to DNS:

```
zone "." {
        type slave;
        file "slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "arpa" {
        type slave;
        file "slave/arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "in-addr.arpa" {
        type slave;
        file "slave/in-addr.arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
}
```

resulted in this files:


```
/var/named/etc/namedb/slave/arpa.slave
/var/named/etc/namedb/slave/in-addr.arpa.slave
/var/named/etc/namedb/slave/root.slave
```

After few days I was forced to replace above config with:

```
zone "." {type hint; file "named root"; };
```


----------



## clementsm (Dec 29, 2011)

I know this thread is long dead, however adding this here to aid any Googlers stumbling onto this page, slaving on a busy name-server is an advantage in reduced load and faster query response.  ICANN have a policy on this, and provide two servers you can slave from.  Refer to their website:

http://dns.icann.org/services/axfr/

I don't think you will see any measurable difference between slaving on a server that does relatively few queries, and in this case simply caching is probaly going to make for a simpler config file.


----------

