ZONE Transfer to BIND 8/9

  • Thread starter Thread starter Jerome Schnitzler
  • Start date Start date
J

Jerome Schnitzler

Hello NG,

I've got a big problem ... I'm running my own Primary DNS without AD. My ISP
plays the Secondary DNS. When I changed from Linux to Windows 2003 , Zone
Transfers were suddenl impossible. I activated all options and allowed zone
transfer from any source, but still it was impossible. I made several test
with "dig". Normal DNS queries were possible, but when I tried a Transfer
the sever was unreachable. Where is the problem?

Thanx

Jerome
 
Assuming that you have set to "all allowed", I would try to specifically put
in the ISP's server's IP address, if you haven't tried that yet.

Also, maybe this might help. It;s based on W2k, but it may be applicable:

194129 - Microsoft DNS Fails to Acquire Zone Transfer from BIND Primary:
http://support.microsoft.com/default.aspx?scid=kb;en-us;194129

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
----- Original Message -----
From: "Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&[email protected]>
Newsgroups: microsoft.public.win2000.dns
Sent: Monday, November 24, 2003 5:12 PM
Subject: Re: ZONE Transfer to BIND 8/9

Assuming that you have set to "all allowed", I would try to specifically put
in the ISP's server's IP address, if you haven't tried that yet.
Click to expand...

This was the first I tried.
Also, maybe this might help. It;s based on W2k, but it may be applicable:

194129 - Microsoft DNS Fails to Acquire Zone Transfer from BIND Primary:
http://support.microsoft.com/default.aspx?scid=kb;en-us;194129
Click to expand...

I'm sorry, but this article doesn't help. My w2k3 s the Primary DNS and not
the BIND ... so this is not the "right" problem.

Thank you!
 
Sorry, I was hinting at that it could happen in reverse, as I've previously
seen.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Jerome Schnitzler said:
----- Original Message -----
From: "Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&[email protected]>
Newsgroups: microsoft.public.win2000.dns
Sent: Monday, November 24, 2003 5:12 PM
Subject: Re: ZONE Transfer to BIND 8/9



This was the first I tried.


I'm sorry, but this article doesn't help. My w2k3 s the Primary DNS
and not the BIND ... so this is not the "right" problem.

Thank you!
Click to expand...

Check the event log to see if your ISP's DNS is connecting to DNS for a
transfer and if it is getting denied.
Try this tool to query your name server.
http://msv.dk/ms174.asp
 
Checked: All is working fine ... great site by the way ... I also tried dig
under Linux ... works also fine for queries. The only thing that doesn't
work is the zone transfer. Error message: server not found. Is it hopeless?
 
In
Jerome Schnitzler said:
Checked: All is working fine ... great site by the way ... I also
tried dig under Linux ... works also fine for queries. The only thing
that doesn't work is the zone transfer. Error message: server not
found. Is it hopeless?
Click to expand...
I don't think it is hopeless are you sure it is not a networking issue?
Your event log should show the error when a zone transfer is attempted but
denied by the machine.
Is the connection even making it to the DNS server?
 
Kevin D. Goodknecht said:
In
I don't think it is hopeless are you sure it is not a networking issue?
Your event log should show the error when a zone transfer is attempted but
denied by the machine.
Is the connection even making it to the DNS server?
Click to expand...

As I already said, the server connection times out, every time I try to
connect. In my tests the error shown by dig is: server not found. I'm
getting mad on this error. Why can I do queries but when I try an AXFR the
server can suddenly not be found.
 
In
Jerome Schnitzler said:
As I already said, the server connection times out, every time I try
to connect. In my tests the error shown by dig is: server not found.
I'm getting mad on this error. Why can I do queries but when I try an
AXFR the server can suddenly not be found.
Click to expand...
Something blocking TCP 53?
Does nslookup show the same error?
 
Jerome Schnitzler said:
As I already said, the server connection times out, every time I try to
connect. In my tests the error shown by dig is: server not found. I'm
getting mad on this error. Why can I do queries but when I try an AXFR the
server can suddenly not be found.
Click to expand...


Well, if you can do queries, then it means the necessary ports are opened,
but if you can;t do a transfer, then it seems that either it's not being
allowed or the serial number is out of wack. I have seen issues where when
you set to allow to a specific IP it won't work, but once you set it to
allow all, then it works. Not sure why. Never investigated it further.
Usually I use to allow to what is in the nameserver tab. I haven't had
problems with that.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Kevin D. Goodknecht said:
In
Something blocking TCP 53?
Does nslookup show the same error?
Click to expand...

Standard IPSec rules but queries work ... so that can't be the reason

I don't know the spcific order for nslookup ... do you have a clue?
 
"Ace Fekay [MVP]"
Well, if you can do queries, then it means the necessary ports are opened,
but if you can;t do a transfer, then it seems that either it's not being
allowed or the serial number is out of wack. I have seen issues where when
you set to allow to a specific IP it won't work, but once you set it to
allow all, then it works. Not sure why. Never investigated it further.
Usually I use to allow to what is in the nameserver tab. I haven't had
problems with that.
Click to expand...

Has all been tested ... when the records are not the way they should be on
the secondary dns ... I get an error protocol with the wrong specifications.
This time all is right and the Denic says it's my provider ... he has no
records ... but i'm sure it is my server, bacause i recieve no Records in
Transfer Mode with any client/server. So what now? Why does everythig work
.... error messages are generated (and this can only be, when a transfer is
possible) and when my provider ties the same he recieves an error???
 
Jerome Schnitzler said:
Standard IPSec rules but queries work ... so that can't be the reason

I don't know the spcific order for nslookup ... do you have a clue?
Click to expand...


You're using IPSec? How do you have it set? Server Require security or
Request Security? If set to Require, I can see that can cause this issue. Or
are you just using IPSec's filtering features?

nslookup
set type=all
ls -d domain.com
and it should list all the records in the zone if transfers are set wide
open.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
How do you have set to allow zone transfers? I'm also curious about that
IPSec issue.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Jerome Schnitzler said:
"Ace Fekay [MVP]"
attempted
but


Well, if you can do queries, then it means the necessary ports are opened,
but if you can;t do a transfer, then it seems that either it's not being
allowed or the serial number is out of wack. I have seen issues where when
you set to allow to a specific IP it won't work, but once you set it to
allow all, then it works. Not sure why. Never investigated it further.
Usually I use to allow to what is in the nameserver tab. I haven't had
problems with that.
Click to expand...

Has all been tested ... when the records are not the way they should be on
the secondary dns ... I get an error protocol with the wrong specifications.
This time all is right and the Denic says it's my provider ... he has no
records ... but i'm sure it is my server, bacause i recieve no Records in
Transfer Mode with any client/server. So what now? Why does everythig work
... error messages are generated (and this can only be, when a transfer is
possible) and when my provider ties the same he recieves an error???
Click to expand...
 
In
Jerome Schnitzler said:
Standard IPSec rules but queries work ... so that can't be the reason

I don't know the spcific order for nslookup ... do you have a clue?
Click to expand...
nslookup
ls -d domainname
Is the zone transfer command
 
"Ace Fekay [MVP]"
You're using IPSec? How do you have it set? Server Require security or
Request Security? If set to Require, I can see that can cause this issue. Or
are you just using IPSec's filtering features?
Click to expand...

Well, Pot 53 is opened for all TCP connections; no authentification

As you ask, I remember my last portscan ... it said, that port 53 is in
state filtered ... may be the problem. But I don't know which option should
be worse
 
Jerome Schnitzler said:
issue.

Well, Pot 53 is opened for all TCP connections; no authentification

As you ask, I remember my last portscan ... it said, that port 53 is in
state filtered ... may be the problem. But I don't know which option should
be worse
Click to expand...


If a scan reports it as filtered, then it's blocked. Try disabling the IPSec
policy and try it again.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
"Ace Fekay [MVP]"
If a scan reports it as filtered, then it's blocked. Try disabling the IPSec
policy and try it again.
Click to expand...

Oh wow ... disabling IPSec is like suicide ... the server is directly
connected to the internet with 100bit ... if I disable IPSec w32.blaster and
all these other niceguys are immidiaely on the mashine ... Is there no other
option?
 
An entry point firewall?
Or readjust the IPSec filters to allow traffic.

Why don;'t you jsut disable it for a test to see if it works and then we'll
work from there? We have to establish that first, don't you agree?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Jerome Schnitzler said:
"Ace Fekay [MVP]"
If a scan reports it as filtered, then it's blocked. Try disabling the IPSec
policy and try it again.
Click to expand...

Oh wow ... disabling IPSec is like suicide ... the server is directly
connected to the internet with 100bit ... if I disable IPSec w32.blaster and
all these other niceguys are immidiaely on the mashine ... Is there no other
Click to expand...
 
In
Jerome Schnitzler said:
Oh wow ... disabling IPSec is like suicide ... the server is directly
connected to the internet with 100bit ... if I disable IPSec
w32.blaster and all these other niceguys are immidiaely on the
mashine ... Is there no other option?
Click to expand...

If IPSec is set to "require" security For all IP traffic, it will always
require security using Kerberos trust and will NOT allow unsecured
communication with untrusted clients.
Try changing it to request security if you must have IPSec to the internet.
So for as worrying about worms since this server is connected directly to
the internet use a good firewall and do not allow it to be used as a
workstation. Any one using this server as a workstation, if they do execute
a virus or worm that nasty little bug has the same rights as the user. Never
browse the internet from this machine. If you have an internal network using
this as a gateway I would highly recommend using a Proxy server that scans
the data stream. There are good ones that are very reasonably priced such as
Wingate and Winroute that do a very good job of protecting your internal
network. Most will give you a thirty day trial.
Is TCP/IP filtering turned on?
Do you have any ports open above 1024?
TCP/IP filtering on the interface closes both incoming and outgoing ports it
does not allow for port redirection for outgoing connections. Instead of the
filtering on the interface get a firewall or use packet filtering in RRAS.
 
Back
Top