Solved

BIND DNS not allowing transfers thru cisco router?

Posted on 2002-04-08
15
519 Views
Last Modified: 2012-05-04
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things.  I'd like the linux router to host a domain name and have set up the bind zone appropriately.  I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.

However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:

Can't list domain motorsport.co.ug : Unspecified error.  

This means of course that the domain info cannot be transfered elsewhere.

I have checked the router.  I have these couple of lines in the config script:

ip nat inside source static 192.168.1.246 213.177.164.134

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I have tried to debug ip nat traffic, from an external ip.  I see, as expected:

03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]

and

03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]

The question is, why are zone transfers not working.  DNS queries appear to work fine.


Attached zone file:

;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@       IN      SOA     impalasoft.com. domainnames.impalamedia.com. (
                        200204085       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                IN  A   213.177.164.130                 ; default address
                NS      ns1.secondary.com.              ; Inet Address of name s
erver
                NS      ns1.impalasoft.com.;
                NS      ns2.secondary.com.;
                NS      apphost01.impalasoft.com.;
                                                     
                MX      10 mail.impalasoft.com.     ; Primary Mail Exchanger
;

www.motorsport.co.ug.    IN  CNAME  motorsport.co.ug.
ftp.motorsport.co.ug.  IN  CNAME  motorsport.co.ug.


Thanks

0
Comment
Question by:ossentoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6927528
If you have used copy paste then you have made an error:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
The udp statement points to 192.168.1.24_6_ and the tcp points to .24_5_
0
 
LVL 4

Expert Comment

by:svindler
ID: 6928063
Do you have any access-lists applied?
Can you do a zone-trasfer from another host on the inside?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6928655
I will go with svindler, your NAT may be messed up.  DNS queries use port 53 UDP, but most DNS zone transfers use port 53 TCP.  
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Comment

by:ossentoo
ID: 6930991
ok,

No problem with the second 246 address (i think).  The server in question has two ip addresses 245, 246. It also forwards traffic from one to the other.

some strange behaviour, i've got two DNS related lines in the config:

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

The reason i have change IP address to 246 from 245 is the router (cisco 1602) will not allow me to put in two lines with the same IP address. if I try to add both UDP & TCP on 245 for example, the one I add second doesn't appear in the config (seems like it is simply not added to the config).

Any reason y this is?  nslookup ls from any machine inside private network works.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6931177
Does it work without the two specific lines:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I would think that the line:
ip nat inside source static 192.168.1.246 213.177.164.134
ought to be enough.

Is there any other reason why you are doing it this way?
0
 

Author Comment

by:ossentoo
ID: 6931334
ok, let me try removing 246 entry and see what happens.

Thanks
0
 

Author Comment

by:ossentoo
ID: 6931361
Nop, still getting the error.  Maybe u could try making a DNS transfer for motorsport.co.ug @ 213.177.164.134

Thx
0
 
LVL 4

Expert Comment

by:svindler
ID: 6932453
From a tcpdump, I can see that there is a filter in either your router or maybe your isp:
icmp: host 213.177.164.134 unreachable - admin prohibited filter

Do you have an acl applied in your router?
If not then maybe your provide has a dns server filter in front of you.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6932467
Actually the whole line is:
23:37:41.002387 213.177.165.2 > 192.168.1.64: icmp: host 213.177.164.134 unreachable - admin prohibited filter [tos 0x20]
A traceroute shows that 213.177.165.2 is three steps in front of you, so I guess it must be the provider.

15  213.177.165.2 (213.177.165.2)  983.370 ms  576.999 ms  577.849 ms
16  213.177.165.14 (213.177.165.14)  574.854 ms  1020.958 ms  579.926 ms
17  213.177.165.241 (213.177.165.241)  924.384 ms  1171.001 ms  574.645 ms
18  213.177.164.130 (213.177.164.130)  1021.711 ms  1176.955 ms  1159.944 ms

Maybe you are not allowed to host your own dns server?
0
 

Author Comment

by:ossentoo
ID: 6933555
you cound be right there.  Let me also try tcpdump and see what's going on.

Thanks
0
 

Author Comment

by:ossentoo
ID: 6933588
that's strange, because DNS queries work right?  This is the only access-list we have on the router.

access-list 1 permit 192.168.1.0
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255

do u mean to say just dns transferring may be restricted?
0
 
LVL 4

Accepted Solution

by:
svindler earned 150 total points
ID: 6933603
Yes, to me it looks like access to tcp port 53 is being denied by the router/firewall at 213.177.165.2.

They can't deny access to udp port 53, because some implementations actually use udp port 53 as both source and destination port.

Does your government apply rules centrally for the use of internet in Uganda? .ug is related to Uganda, so I guess your setup is actually located there?

0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6934209
Svindler is right on.  The DNS lookup on UDP 53 is allowed but zone transfers on 53 TCP are denied.  The DNS server appears to allow unauthenticated transfer of the domain, but the filter is blocking it.  This is an interesting setup.  Usually the security is on the DNS server itself.
0
 

Author Comment

by:ossentoo
ID: 6936336
Thanks for all your help.  I'll check it out.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6936385
You're welcome.
Remember to close the question you made in Linux Administration, http://www.experts-exchange.com/linuxadmin/Q.20286392.html
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question