so, my original issue was ns1 not updating ns2 and ns3. over the past few months and specifically today, i have narrowed and seen the specific issue. i have 32 external ip's, each server has a 10.0.0.0/24 ip and using pfsense, these are mapped external IP > internal IP. ns1 gets an error when i request from ns2 Code: 2025-10-23T16:32:45.734550+01:00 ns1 named[633]: client @0x7f6362dea168 10.0.0.1#61916 (tlsystems.co.uk): zone transfer 'tlsystems.co.uk/AXFR/IN' denied and looks like all communication between servers are using 10.0.0.1 when received. A chatgpt query states to add Code: options { allow-transfer { 10.0.0.0/24; }; }; to /etc/bind/named.conf.options. or this code snippet Code: acl "secondary-servers" { 192.0.2.1; 192.0.2.2; 10.0.0.10; }; options { directory "/var/cache/bind"; // ... other options ... }; will this fix the issue with communication between 3 servers? I have ruled out permission for /etc/bind/slave thanks
You can try that. if your servers communicate on the internal network, then you must allow access either by globally allowing it in the named config or by using 10.0.0.0/24 in the allow xgfer to field of the primary zones.
Thanks till, so do i have to change dns zones from allow-transfer using external ip to its internal ip?
You must allow the IP addresses used by the secondary BIND systems to connect to the primary server, as seen by the primary. If that's the internal IP in your case, you must use it.
You have a whole other problem then bind config! If all 3 servers are in the same network they should communicate with each other directly and by that connect using their respective 10.0.0.x address. When you see only connections from 10.0.0.1 (I assume your pfsense) it means connections are made via wan and not over lan directly. Don't implement chatgpt's suggestions! Or if you already have, undo it! With proper configuration of dns zones in ispconfig those suggestions are not necessary and even may lead to more problems which will be hard to find because they are out of ispconfig's default config scope. So figure out why your nameservers want to connect to each other over wan instead of lan directly. Fix that and all should work just fine, assuming you've configured all zones correctly in ispconfig.