Skip to content
Feb 17 / Greg

Bind 9 – “refused notify from non-master”

I was adding a new slave DNS server the other day on bind 9.3 and I was getting this error “refused notify from non-master”.  It seems that if you are using bind 9.3 it tries to send a notify to itself even if it is a slave.  In the options section of named.conf you need to add an allow-notify for it’s own IP.  Substitute 192.168.0.1 for your server’s IP.

options {
//otherstuff
allow-notify {192.168.0.1;};
};

Filed under Linux, Server

14 Comments

leave a comment
  1. mikeabout / Jan 25 2010

    thank you… couldn’t figure out why it kept complaining, but was working. One less thing to worry about now.

  2. Greg / Jan 26 2010

    NP Mike, thanks for the comment…heh

  3. jedi / Feb 3 2010

    thanks for solution, man 🙂

  4. Greg / Feb 3 2010

    NP 🙂

  5. Roger Wilhelm / Feb 18 2010

    Thank you, been annoyed by this for too long.

  6. Greg / Feb 18 2010

    Glad to help sir.

  7. Dave / Feb 23 2010

    Instead of allowing the slave to notify itself using allow-notify, you can simply disable notifications on the slave using ‘notify no’. Then the slave won’t even send out any notfications even to itself; however, according to my own testing the slave will still accept notifications from its master with notify no in its named.conf.

  8. Greg / Feb 23 2010

    Thanks for the tip Dave!

  9. Andy / Jul 13 2010

    Nice one thanks! Saved me some hassle!

  10. Greg / Jul 13 2010

    NP =)

  11. Gerard / Jul 16 2010

    “When a slave receives a NOTIFY request for a zone from one of its configured master name servers, it responds with a NOTIFY response. The response tells the master that the slave received the NOTIFY request, so that it can stop sending it NOTIFY messages for the zone. Then the slave proceeds just as if the refresh timer had expired: it queries the master server for the SOA record for the zone that the master claimed has changed. If the serial number is higher, the slave transfers the zone.”

    taken from: http://bioinfo2.ugr.es/OReillyReferenceLibrary/networking/dnsbind/ch10_02.htm

    So then, if you disable notify: ‘notify no’, your master is not notified. According this, the notify statement means if send notify responses (i.e. if slave reply or ack the master notification). If you read the reference this is useful to prevent DOS attacks.

    In my oppinion the original post solution seems better 🙂

    Salut!

  12. Greg / Jul 16 2010

    Thanks for the heads up Gerard. I prevent spoofing, so in my case this is a non issue 🙂 Definitely good to know, though. As GI Joe says, knowing is half the battle…the other half is shooting guns and blowing stuff up.

  13. wawan bahtiar / Sep 23 2010

    You’re rock man,

    this is very useful for my slave bind.

  14. wawan bahtiar / Sep 23 2010

    Just info,

    I thing not only BIND 9.3 , I use BIND 9.7 is got same message above.
    Your solution is great.

    thank Greg.

Leave a Comment

 

CAPTCHA

*