Solved

BIND DNS not allowing transfers thru cisco router?

Posted on 2002-04-08
15
509 Views
Last Modified: 2012-05-04
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things.  I'd like the linux router to host a domain name and have set up the bind zone appropriately.  I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.

However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:

Can't list domain motorsport.co.ug : Unspecified error.  

This means of course that the domain info cannot be transfered elsewhere.

I have checked the router.  I have these couple of lines in the config script:

ip nat inside source static 192.168.1.246 213.177.164.134

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I have tried to debug ip nat traffic, from an external ip.  I see, as expected:

03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]

and

03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]

The question is, why are zone transfers not working.  DNS queries appear to work fine.


Attached zone file:

;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@       IN      SOA     impalasoft.com. domainnames.impalamedia.com. (
                        200204085       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                IN  A   213.177.164.130                 ; default address
                NS      ns1.secondary.com.              ; Inet Address of name s
erver
                NS      ns1.impalasoft.com.;
                NS      ns2.secondary.com.;
                NS      apphost01.impalasoft.com.;
                                                     
                MX      10 mail.impalasoft.com.     ; Primary Mail Exchanger
;

www.motorsport.co.ug.    IN  CNAME  motorsport.co.ug.
ftp.motorsport.co.ug.  IN  CNAME  motorsport.co.ug.


Thanks

0
Comment
Question by:ossentoo
  • 7
  • 6
  • 2
15 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6927528
If you have used copy paste then you have made an error:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
The udp statement points to 192.168.1.24_6_ and the tcp points to .24_5_
0
 
LVL 4

Expert Comment

by:svindler
ID: 6928063
Do you have any access-lists applied?
Can you do a zone-trasfer from another host on the inside?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6928655
I will go with svindler, your NAT may be messed up.  DNS queries use port 53 UDP, but most DNS zone transfers use port 53 TCP.  
0
 

Author Comment

by:ossentoo
ID: 6930991
ok,

No problem with the second 246 address (i think).  The server in question has two ip addresses 245, 246. It also forwards traffic from one to the other.

some strange behaviour, i've got two DNS related lines in the config:

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

The reason i have change IP address to 246 from 245 is the router (cisco 1602) will not allow me to put in two lines with the same IP address. if I try to add both UDP & TCP on 245 for example, the one I add second doesn't appear in the config (seems like it is simply not added to the config).

Any reason y this is?  nslookup ls from any machine inside private network works.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6931177
Does it work without the two specific lines:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I would think that the line:
ip nat inside source static 192.168.1.246 213.177.164.134
ought to be enough.

Is there any other reason why you are doing it this way?
0
 

Author Comment

by:ossentoo
ID: 6931334
ok, let me try removing 246 entry and see what happens.

Thanks
0
 

Author Comment

by:ossentoo
ID: 6931361
Nop, still getting the error.  Maybe u could try making a DNS transfer for motorsport.co.ug @ 213.177.164.134

Thx
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:svindler
ID: 6932453
From a tcpdump, I can see that there is a filter in either your router or maybe your isp:
icmp: host 213.177.164.134 unreachable - admin prohibited filter

Do you have an acl applied in your router?
If not then maybe your provide has a dns server filter in front of you.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6932467
Actually the whole line is:
23:37:41.002387 213.177.165.2 > 192.168.1.64: icmp: host 213.177.164.134 unreachable - admin prohibited filter [tos 0x20]
A traceroute shows that 213.177.165.2 is three steps in front of you, so I guess it must be the provider.

15  213.177.165.2 (213.177.165.2)  983.370 ms  576.999 ms  577.849 ms
16  213.177.165.14 (213.177.165.14)  574.854 ms  1020.958 ms  579.926 ms
17  213.177.165.241 (213.177.165.241)  924.384 ms  1171.001 ms  574.645 ms
18  213.177.164.130 (213.177.164.130)  1021.711 ms  1176.955 ms  1159.944 ms

Maybe you are not allowed to host your own dns server?
0
 

Author Comment

by:ossentoo
ID: 6933555
you cound be right there.  Let me also try tcpdump and see what's going on.

Thanks
0
 

Author Comment

by:ossentoo
ID: 6933588
that's strange, because DNS queries work right?  This is the only access-list we have on the router.

access-list 1 permit 192.168.1.0
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255

do u mean to say just dns transferring may be restricted?
0
 
LVL 4

Accepted Solution

by:
svindler earned 150 total points
ID: 6933603
Yes, to me it looks like access to tcp port 53 is being denied by the router/firewall at 213.177.165.2.

They can't deny access to udp port 53, because some implementations actually use udp port 53 as both source and destination port.

Does your government apply rules centrally for the use of internet in Uganda? .ug is related to Uganda, so I guess your setup is actually located there?

0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6934209
Svindler is right on.  The DNS lookup on UDP 53 is allowed but zone transfers on 53 TCP are denied.  The DNS server appears to allow unauthenticated transfer of the domain, but the filter is blocking it.  This is an interesting setup.  Usually the security is on the DNS server itself.
0
 

Author Comment

by:ossentoo
ID: 6936336
Thanks for all your help.  I'll check it out.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6936385
You're welcome.
Remember to close the question you made in Linux Administration, http://www.experts-exchange.com/linuxadmin/Q.20286392.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now