refresh_callback: zone fossilbar.ch/IN: failure for 194.208.60.10#53: timed out

[Marcel Malin]

Please help me,... what can this mean? Is there a problem with the master
server or the slave server?

Regards

Marcel Malin

[Barry Margolin]

In article <9vdb57$j...@pub3.rc.vix.com>,

Marcel Malin <marcel...@schulen.li> wrote:
>Please help me,... what can this mean? Is there a problem with the master
>server or the slave server?

Usually it's either a problem with the master server or the network. When
the slave tried to query the master server to get the SOA record, it didn't
get a response. It could be because the master is down, it could be due to
a firewall blocking DNS packets from the slave to the master, or blocking
the responses going back to the slave. It could be because a network
connection along the way is down. Anything you can imagine that would
prevent a DNS query/response from succeeding could be the cause.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

[Marcel Malin]

There is a IPchains script running on the DNS Server. Is there something
wrong with the script

/sbin/ipchains -A input -i eth0 -s ! 192.168.0.254 1024:65535 -d
194.208.60.10 53 -p ! icmp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 194.208.60.10 53 -d ! 192.168.0.254
1024:65535 -p ! icmp -j ACCEPT

eth0 ist the external nic (IP 194.208.60.10) the internal ip is
192.168.0.254. It should allow tcp and udp packets....

Cheers

Marcel Malin

"Barry Margolin" <bar...@genuity.net> schrieb im Newsbeitrag
news:9vdmam$k...@pub3.rc.vix.com...

[Michael Kjorling]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, let's analyze these two.

(1) Add a rule to the "input" chain, matching packets traversing on
eth0 with a source address not equal to 192.168.0.254, but with a
source port in the range 1024 thru 65535, and a destination address of
194.208.60.10 on port 53, on protocols other than ICMP, and accept
packets matching the rule.

(2) Add a rule to the "output" chain, matching packets traversing on
eth0 with a source address of 194.208.60.10 on port 53, and a
destination address not equal to 192.168.0.254, but with a destination
port of 1024 thru 65535, on protocols other than ICMP, and let those
packets through.

What are you trying to accomplish with these two? They seem like a
mess to me - why not just do it the simple way and allow TCP and UDP
traffic to/from port 53 on the remote name server?

Also remember that IP spoofing with UDP is extremely trivial.

Michael Kjörling

On Dec 18 2001 12:21 +0100, Marcel Malin wrote:

> There is a IPchains script running on the DNS Server. Is there something
> wrong with the script
>
> /sbin/ipchains -A input -i eth0 -s ! 192.168.0.254 1024:65535 -d
> 194.208.60.10 53 -p ! icmp -j ACCEPT
> /sbin/ipchains -A output -i eth0 -s 194.208.60.10 53 -d ! 192.168.0.254
> 1024:65535 -p ! icmp -j ACCEPT
>
> eth0 ist the external nic (IP 194.208.60.10) the internal ip is
> 192.168.0.254. It should allow tcp and udp packets....
>
>
> Cheers
>
> Marcel Malin

- --
Michael Kjörling -- Programmer/Network administrator ^..^
Internet: mic...@kjorling.com -- FidoNet: 2:204/254.4 \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e

"There is something to be said about not trying to be glamorous
and popular and cool. Just be real -- and life will be real."
(Joyce Sequichie Hifler, September 13 2001, www.hifler.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html

iD8DBQE8H2UnKqN7/Ypw4z4RAhnRAKDDMsxo5SANbd8bHndmUk7EfJnhvQCff+ls
w9jp8hfHwYGgMbtw8Psv6eE=
=LWzZ
-----END PGP SIGNATURE-----