Cannot replicate DNS zone data from master on LAN to slave behind firewall in a DMZ

Here is some information about my setup. I have a master DNS server in my LAN subnet running on a Ubuntu 16.04 box. In addition, I have some slave DNS servers on my various other subnets (DMZ subnet, service subnet, etc.). All DNS slave servers run different kinds of Linux. Since my master DNS server must know several different subnets, it is set up as split DNS / split horizon. My firewall defines three zones: LAN, WAN, and DMZ. For safety reasons, no connection from DMZ to LAN can be initiated. The connection must be initiated from the LAN subnet. Such is by policy and I do not want to change it. # Technical information about relevant servers: # Master DNS on my LAN subnet: OS: Ubuntu 16.04 Hostname: master.lan.mydomain.dk IP: 192.168.1.4 255.255.255.0 Slave DNS on DMZ subnet: OS: Debian 9 Hostname: tools.dmz.mydomain.dk IP: 172.16.1.4 255.255.255.0 Immediately, my split horizon setup works fine on my master server. But I can not replicate between master and slave server. There is no transfer of zone files. ## Here are the relevant setup files: ## ### named.conf from master DNS server: ### key "rndc-key" { algorithm hmac-md5; secret "w26wwSa7rJB04IsuW99kGQ=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; include "/etc/bind/named.conf.logging"; include "/etc/bind/named.conf.keys"; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; ### named.conf.keys from master DNS server: ### Key definitions are placed in a separate file, so they can be easily updated via rsync. key lan-key { algorithm HMAC-MD5; secret AaEjmxhg3WT2; }; key dmz-key { algorithm HMAC-MD5; secret BEhp4DeLnX4u; }; key service-key { algorithm HMAC-MD5; secret 7rP4CN3Km2QT; }; key management-key { algorithm HMAC-MD5; secret gNsRz2H7AxLH; }; key update-key { algorithm HMAC-MD5; secret B88bqW33Fuap; }; ### named.conf.local from master DNS server: ### // // Do any local configuration here // // Keys are defined in /etc/bind/named.conf.keys // acl lan-subnet { !key dmz-key; !key service-key; !key management-key; key lan-key; 127.0.0.0/8; 192.168.1.0/24; }; acl dmz-subnet { !key lan-key; !key service-key; !key management-key; key dmz-key; 172.16.1.0/24; }; acl service-subnet { !key lan-key; !key dmz-key; !key management-key; key service-key; 192.168.128.0/24; }; acl management-subnet { !key lan-key; !key dmz-key; !key service-key; key management-key; 10.21.12.0/24; }; view "internal" { match-clients { lan-subnet; }; allow-recursion { any; }; allow-transfer { key lan-key; }; allow-update { key update-key; }; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; zone "lan.mydomain.dk" { type master; file "/etc/bind/internals/db.lan.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key lan-key; }; notify yes; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/internals/db.192.168.1-rev"; also-notify { 192.168.1.5 key lan-key; }; notify yes; }; zone "dmz.mydomain.dk" { type master; file "/etc/bind/internals/db.dmz.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key lan-key; 172.16.1.4 key dmz-key; 172.16.1.5 key dmz-key; 127.0.0.1 key dmz-key; }; notify yes; }; zone "1.16.172.in-addr.arpa" { type master; file "/etc/bind/internals/db.172.16.1-rev"; also-notify { 192.168.1.5 key lan-key; 172.16.1.4 key dmz-key; 172.16.1.5 key dmz-key; 127.0.0.1 key dmz-key; }; notify yes; }; zone "service.mydomain.dk" { type master; file "/etc/bind/internals/db.service.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key lan-key; 192.168.1.10 key service-key; 192.168.1.11 key service-key; 127.0.0.1 key service-key; }; notify yes; }; zone "128.168.192.in-addr.arpa" { type master; file "/etc/bind/internals/db.192.168.128-rev"; also-notify { 192.168.1.5 key lan-key; 192.168.1.10 key service-key; 192.168.1.11 key service-key; 127.0.0.1 key service-key; }; notify yes; }; zone "management.mydomain.dk" { type master; file "/etc/bind/internals/db.management.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key lan-key; 10.21.12.4 key management-key; 127.0.0.1 key management-key; }; notify yes; }; zone "12.21.10.in-addr.arpa" { type master; file "/etc/bind/internals/db.10.21.12-rev"; also-notify { 192.168.1.5 key lan-key; 10.21.12.4 key management-key; 127.0.0.1 key management-key; }; notify yes; }; }; view "externals" { match-clients { any; }; allow-recursion { none; }; allow-transfer { key dmz-key; }; zone "dmz.mydomain.dk" { type slave; masters { 127.0.0.1 key lan-key; }; file "/etc/bind/externals/db.dmz.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key dmz-key; }; }; zone "1.16.172.in-addr.arpa" { type slave; masters { 127.0.0.1 key lan-key; }; file "/etc/bind/externals/db.172.16.1-rev"; also-notify { 192.168.1.5 key dmz-key; }; }; }; view "services" { match-clients { service-subnet; }; allow-recursion { none; }; allow-transfer { key service-key; }; zone "service.mydomain.dk" { type slave; masters { 127.0.0.1 key lan-key; }; file "/etc/bind/services/db.service.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key service-key; }; }; zone "128.168.192.in-addr.arpa" { type slave; masters { 127.0.0.1 key lan-key; }; file "/etc/bind/services/db.192.168.128-rev"; also-notify { 192.168.1.5 key service-key; }; }; }; view "management" { match-clients { management-subnet; }; allow-recursion { none; }; allow-transfer { key management-key; }; zone "management.mydomain.dk" { type slave; masters { 127.0.0.1 key lan-key; }; file "/etc/bind/management/db.management.mydomain.dk"; # zone file path also-notify { 192.168.1.5 key management-key; }; }; zone "12.21.10.in-addr.arpa" { type slave; masters { 127.0.0.1 key lan-key; }; file "/etc/bind/management/db.10.21.12-rev"; also-notify { 192.168.1.5 key management-key; }; }; }; ### db.dmz.mydomain.dk from master DNS server: ### $TTL 604800 @ IN SOA ns1.dmz.mydomain.dk. root.lan.mydomain.dk. ( 2018102001 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; name and mail servers - NS records @ IN NS ns1.dmz.mydomain.dk. IN NS ns2.dmz.mydomain.dk. IN MX 10 proxymail.dmz.mydomain.dk. IN A 172.16.1.4 ; name servers - A records ns1.dmz.mydomain.dk. IN A 172.16.1.4 ns2.dmz.mydomain.dk. IN A 172.16.1.5 ; 172.16.1.0/24 - A records fwdmz.dmz.mydomain.dk. IN A 172.16.1.2 tools.dmz.mydomain.dk. IN A 172.16.1.4 x3690.vmhost.dmz.mydomain.dk. IN A 172.16.1.20 x3650.vmhost.dmz.mydomain.dk. IN A 172.16.1.21 wwwgate.dmz.mydomain.dk. IN A 172.16.1.30 proxymail.dmz.mydomain.dk. IN A 172.16.1.40 ### named.conf.local from slave DNS server: zone "dmz.mydomain.dk" { type slave; file "/etc/bind/slaves/db.dmz.mydomain.dk"; masters { 172.16.1.1 key dmz-key; }; }; zone "1.16.172.in-addr.arpa" { type slave; file "/etc/bind/slaves/db.172.16.1-rev"; masters { 172.16.1.1 key dmz-key; }; }; As can be seen from the above, I have set the master IP address to be 172.16.1.1 which is the gateway address of the DMZ subnet. The firewall converts any LAN address to the DMZ gateway address followed by a random port number. So it does not make sense to put it into the master server's LAN IP address, which is never allowed to pass through the firewall. On the slave server there is the following error message: "zone dmz.mydomain.dk/IN: refused notify from non-master: 172.16.1.1#47161". So, I can understand why the error message comes because I only specified that the master server is called 172.16.1.1 and not 172.16.1.1#47161. So how do I get Bind9 on the slave server to accept that it's not just an IP address but an IP address and a random port number? Thanks in advance.