ossentoo
asked on
BIND DNS not allowing transfers thru cisco router?
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things. I'd like the linux router to host a domain name and have set up the bind zone appropriately. I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.
However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:
Can't list domain motorsport.co.ug : Unspecified error.
This means of course that the domain info cannot be transfered elsewhere.
I have checked the router. I have these couple of lines in the config script:
ip nat inside source static 192.168.1.246 213.177.164.134
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
I have tried to debug ip nat traffic, from an external ip. I see, as expected:
03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]
and
03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]
The question is, why are zone transfers not working. DNS queries appear to work fine.
Attached zone file:
;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@ IN SOA impalasoft.com. domainnames.impalamedia.co m. (
200204085 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
IN A 213.177.164.130 ; default address
NS ns1.secondary.com. ; Inet Address of name s
erver
NS ns1.impalasoft.com.;
NS ns2.secondary.com.;
NS apphost01.impalasoft.com.;
MX 10 mail.impalasoft.com. ; Primary Mail Exchanger
;
www.motorsport.co.ug. IN CNAME motorsport.co.ug.
ftp.motorsport.co.ug. IN CNAME motorsport.co.ug.
Thanks
However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:
Can't list domain motorsport.co.ug : Unspecified error.
This means of course that the domain info cannot be transfered elsewhere.
I have checked the router. I have these couple of lines in the config script:
ip nat inside source static 192.168.1.246 213.177.164.134
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
I have tried to debug ip nat traffic, from an external ip. I see, as expected:
03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]
and
03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]
The question is, why are zone transfers not working. DNS queries appear to work fine.
Attached zone file:
;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@ IN SOA impalasoft.com. domainnames.impalamedia.co
200204085 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
IN A 213.177.164.130 ; default address
NS ns1.secondary.com. ; Inet Address of name s
erver
NS ns1.impalasoft.com.;
NS ns2.secondary.com.;
NS apphost01.impalasoft.com.;
MX 10 mail.impalasoft.com. ; Primary Mail Exchanger
;
www.motorsport.co.ug. IN CNAME motorsport.co.ug.
ftp.motorsport.co.ug. IN CNAME motorsport.co.ug.
Thanks
Do you have any access-lists applied?
Can you do a zone-trasfer from another host on the inside?
Can you do a zone-trasfer from another host on the inside?
I will go with svindler, your NAT may be messed up. DNS queries use port 53 UDP, but most DNS zone transfers use port 53 TCP.
ASKER
ok,
No problem with the second 246 address (i think). The server in question has two ip addresses 245, 246. It also forwards traffic from one to the other.
some strange behaviour, i've got two DNS related lines in the config:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
The reason i have change IP address to 246 from 245 is the router (cisco 1602) will not allow me to put in two lines with the same IP address. if I try to add both UDP & TCP on 245 for example, the one I add second doesn't appear in the config (seems like it is simply not added to the config).
Any reason y this is? nslookup ls from any machine inside private network works.
No problem with the second 246 address (i think). The server in question has two ip addresses 245, 246. It also forwards traffic from one to the other.
some strange behaviour, i've got two DNS related lines in the config:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
The reason i have change IP address to 246 from 245 is the router (cisco 1602) will not allow me to put in two lines with the same IP address. if I try to add both UDP & TCP on 245 for example, the one I add second doesn't appear in the config (seems like it is simply not added to the config).
Any reason y this is? nslookup ls from any machine inside private network works.
Does it work without the two specific lines:
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
I would think that the line:
ip nat inside source static 192.168.1.246 213.177.164.134
ought to be enough.
Is there any other reason why you are doing it this way?
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
I would think that the line:
ip nat inside source static 192.168.1.246 213.177.164.134
ought to be enough.
Is there any other reason why you are doing it this way?
ASKER
ok, let me try removing 246 entry and see what happens.
Thanks
Thanks
ASKER
Nop, still getting the error. Maybe u could try making a DNS transfer for motorsport.co.ug @ 213.177.164.134
Thx
Thx
From a tcpdump, I can see that there is a filter in either your router or maybe your isp:
icmp: host 213.177.164.134 unreachable - admin prohibited filter
Do you have an acl applied in your router?
If not then maybe your provide has a dns server filter in front of you.
icmp: host 213.177.164.134 unreachable - admin prohibited filter
Do you have an acl applied in your router?
If not then maybe your provide has a dns server filter in front of you.
Actually the whole line is:
23:37:41.002387 213.177.165.2 > 192.168.1.64: icmp: host 213.177.164.134 unreachable - admin prohibited filter [tos 0x20]
A traceroute shows that 213.177.165.2 is three steps in front of you, so I guess it must be the provider.
15 213.177.165.2 (213.177.165.2) 983.370 ms 576.999 ms 577.849 ms
16 213.177.165.14 (213.177.165.14) 574.854 ms 1020.958 ms 579.926 ms
17 213.177.165.241 (213.177.165.241) 924.384 ms 1171.001 ms 574.645 ms
18 213.177.164.130 (213.177.164.130) 1021.711 ms 1176.955 ms 1159.944 ms
Maybe you are not allowed to host your own dns server?
23:37:41.002387 213.177.165.2 > 192.168.1.64: icmp: host 213.177.164.134 unreachable - admin prohibited filter [tos 0x20]
A traceroute shows that 213.177.165.2 is three steps in front of you, so I guess it must be the provider.
15 213.177.165.2 (213.177.165.2) 983.370 ms 576.999 ms 577.849 ms
16 213.177.165.14 (213.177.165.14) 574.854 ms 1020.958 ms 579.926 ms
17 213.177.165.241 (213.177.165.241) 924.384 ms 1171.001 ms 574.645 ms
18 213.177.164.130 (213.177.164.130) 1021.711 ms 1176.955 ms 1159.944 ms
Maybe you are not allowed to host your own dns server?
ASKER
you cound be right there. Let me also try tcpdump and see what's going on.
Thanks
Thanks
ASKER
that's strange, because DNS queries work right? This is the only access-list we have on the router.
access-list 1 permit 192.168.1.0
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
do u mean to say just dns transferring may be restricted?
access-list 1 permit 192.168.1.0
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
do u mean to say just dns transferring may be restricted?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Svindler is right on. The DNS lookup on UDP 53 is allowed but zone transfers on 53 TCP are denied. The DNS server appears to allow unauthenticated transfer of the domain, but the filter is blocking it. This is an interesting setup. Usually the security is on the DNS server itself.
ASKER
Thanks for all your help. I'll check it out.
You're welcome.
Remember to close the question you made in Linux Administration, https://www.experts-exchange.com/linuxadmin/Q.20286392.html
Remember to close the question you made in Linux Administration, https://www.experts-exchange.com/linuxadmin/Q.20286392.html
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
The udp statement points to 192.168.1.24_6_ and the tcp points to .24_5_