Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: [SOLVED] NOTIFY messages being refused  (Read 545 times)

striek

  • Newbie
  • *
  • Posts: 2
    • View Profile
[SOLVED] NOTIFY messages being refused
« on: September 30, 2016, 04:45:31 PM »

Hi all,

I have HE DNS set up as a slave to my domains - everything is working well except for NOTIFY updates.

I seem to be unable to send NOTIFY updates to ns1.he.net - when I do, I get a response back that the update has been refused. It doesn't show up in the BIND logs, but I tripped over this while grokking tcpdump output trying to figure out the problem:

Code: [Select]
root@namemaster-01:/home/ken# service bind9 restart
root@namemaster-01:/home/ken# 23:29:13.900612 IP 10.10.10.10.23045 > 216.218.130.2.53: 42247 notify [b2&3=0x2400] [1a] SOA? domain1.ca. (83)
23:29:13.935776 IP 216.218.130.2.53 > 10.10.10.10.23045: 42247 notify Refused*- 0/0/0 (26)
23:29:14.392570 IP 10.10.10.10.54136 > 216.218.130.2.53: 26176 notify [b2&3=0x2400] [1a] SOA? domain2.com. (85)
23:29:14.427565 IP 216.218.130.2.53 > 10.10.10.10.54136: 26176 notify Refused*- 0/0/0 (28)
23:29:14.892512 IP 10.10.10.10.32468 > 216.218.130.2.53: 59642 notify [b2&3=0x2400] [1a] SOA? reverseDomain.in-addr.arpa. (104)
23:29:14.926442 IP 216.218.130.2.53 > 10.10.10.10.32468: 59642 notify Refused*- 0/0/0 (47)

IP addresses have been obfuscated, obviously, but the 10.10.10.10 server you see there is set up as the master for all these domains.

Any idea why these NOTIFY messages are being refused? I'm racking my brain trying to figure it out and I'm at a dead end...
« Last Edit: October 01, 2016, 07:43:37 AM by striek »
Logged

striek

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: [SOLVED] NOTIFY messages being refused
« Reply #1 on: October 01, 2016, 07:46:17 AM »

This was actually because of a mangled firewall rule on my end - I was masquerading connections from my nameserver to look like they were coming from my router - which, obviously, is not listed as the primary nameserver in the zone settings.

I couldn't see the problem with tcpdump output from the nameserver, but looking at tcpdump output on the router while investigating something else made it obvious.
Logged