How to Force Immediate BIND DNS Zone Transfer and Synchronization Between Master-Slave Servers


7 views

When working with BIND DNS servers in a master-slave configuration, you might encounter situations where zone updates aren't propagating immediately. In your case, despite incrementing the serial number and making changes to the master zone file, the slave server wasn't synchronizing quickly enough.

Let's examine the current configuration files from both servers:

Master (192.168.0.122) /etc/named.conf

zone "domain.com." {
    type master;
    file "caching-example/domain.com.db";
    notify yes;
    also-notify    { 192.168.0.66; };
    allow-transfer { 192.168.0.66; };
};

Slave (192.168.0.66) /etc/named.conf

zone "domain.com" {
    type slave;
    file "caching-example/domain.com.db";
    allow-notify { 192.168.0.122; };
    masters      { 192.168.0.122; };
}

1. Using rndc Commands

While you tried rndc refresh domain.com which only queues the refresh, these commands force immediate transfer:

# On master server:
rndc freeze domain.com
rndc reload domain.com
rndc thaw domain.com

# On slave server:
rndc retransfer domain.com

2. Forcing Zone Transfer from Slave

To immediately pull updates from master to slave:

# On slave server:
rndc refresh domain.com
rndc reconfig

3. Checking Zone Status

Verify the current zone status on both servers:

rndc status

Add these parameters to your zone configuration on both servers:

zone "domain.com" {
    ...
    notify explicit;
    notify-delay 0;
    serial-update-method date;
    max-transfer-time-in 60;
}

Enable detailed logging to monitor transfer events:

logging {
    channel transfer_log {
        file "/var/log/named-transfer.log" versions 5 size 50m;
        severity debug 3;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    category xfer-in { transfer_log; };
    category xfer-out { transfer_log; };
    category notify { transfer_log; };
};
  • Verify network connectivity between servers
  • Check firewall rules for port 53 (TCP and UDP)
  • Ensure time synchronization (NTP) between servers
  • Verify file permissions on zone files
  • Check SELinux/AppArmor restrictions if enabled

Create a script to automate serial updates and notifications:

#!/bin/bash
# update_zone.sh
ZONE="domain.com"
ZONEFILE="/var/named/caching-example/$ZONE.db"
SERIAL=$(date +%Y%m%d%H)
sed -i "s/20[0-9]\{9\}/$SERIAL/" $ZONEFILE
rndc reload $ZONE
rndc notify $ZONE

When working with BIND DNS servers, administrators often encounter delays in zone transfers between master and slave servers. The scenario described shows a common pain point:

dig @192.168.0.122 domain.com
domain.com.     3600    IN  A   8.8.8.8

dig @192.168.0.66 domain.com  
domain.com.     3600    IN  A   162.144.18.114

The slave server isn't immediately reflecting changes made on the master, despite proper configuration with notify and also-notify directives.

Here are several methods to force immediate zone updates:

Method 1: Using rndc on the Slave

While rndc refresh might not always work as expected, try these alternatives:

# Force a zone transfer from the slave
rndc retransfer domain.com

# Alternatively, reload the zone
rndc reload domain.com

Method 2: Master Server Push

From the master server, force a notification:

rndc notify domain.com

Modify your zone file parameters for better performance:

$TTL    3600
$ORIGIN domain.com.
@       IN      SOA     darkstar.example.net.    root.example.net. (
                 2012033102         ; Serial
                       900          ; Reduced Refresh (15 min)
                       300          ; Reduced Retry (5 min)
                     86400          ; Expire (1 day)
                       300 )        ; Reduced Negative Cache TTL (5 min)

Check these log entries to verify transfer status:

Feb 16 01:00:21 darkstar named[1460]: zone domain.com/IN: transferred serial 2012033102
Feb 16 01:00:21 darkstar named[1460]: transfer of 'domain.com/IN' from 192.168.0.122#53: Transfer completed

Create a script to monitor and force transfers when changes are detected:

#!/bin/bash
MASTER_SERIAL=$(dig @192.168.0.122 domain.com SOA +short | awk '{print $3}')
SLAVE_SERIAL=$(dig @192.168.0.66 domain.com SOA +short | awk '{print $3}')

if [ "$MASTER_SERIAL" -gt "$SLAVE_SERIAL" ]; then
    echo "Zone out of sync, forcing transfer..."
    rndc retransfer domain.com
fi

When implementing forced transfers, ensure your configuration includes proper access controls:

zone "domain.com" {
    type slave;
    file "caching-example/domain.com.db";
    allow-notify { 192.168.0.122; };
    masters      { 192.168.0.122; };
    allow-transfer { none; };  # Restrict who can query zone transfers
}