Solved

BIND DNS not allowing transfers thru cisco router?

Posted on 2002-04-08
6
458 Views
Last Modified: 2013-12-16
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things.  I'd like the linux router to host a domain name and have set up the bind zone appropriately.  I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.

However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:

Can't list domain motorsport.co.ug : Unspecified error.  

This means of course that the domain info cannot be transfered elsewhere.

I have checked the router.  I have these couple of lines in the config script:

ip nat inside source static 192.168.1.246 213.177.164.134

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I have tried to debug ip nat traffic, from an external ip.  I see, as expected:

03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]

and

03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]

The question is, why are zone transfers not working.  DNS queries appear to work fine.


Attached zone file:

;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@       IN      SOA     impalasoft.com. domainnames.impalamedia.com. (
                        200204085       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                IN  A   213.177.164.130                 ; default address
                NS      ns1.secondary.com.              ; Inet Address of name s
erver
                NS      ns1.impalasoft.com.;
                NS      ns2.secondary.com.;
                NS      apphost01.impalasoft.com.;
                                                     
                MX      10 mail.impalasoft.com.     ; Primary Mail Exchanger
;

www.motorsport.co.ug.    IN  CNAME  motorsport.co.ug.
ftp.motorsport.co.ug.  IN  CNAME  motorsport.co.ug.


Thanks

0
Comment
Question by:ossentoo
6 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6927530
I don't think you are allowed to create the same question in several topic areas. You have created the same question in:
http://www.experts-exchange.com/routerswitch/Q.20286391.html
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6928039
Do you have an "allow-transfer" directive in your bind configuration file?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6928050
Okay, this isn't a router problem. If it were you wouldn't be able to execute queries across the router. It sounds more like a configuration issue. Could I see the contents of your named.conf?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:ossentoo
ID: 6928388
Here you go.

// This is the primary configuration file for the BIND DNS server named.        
//                                                                              
// Please read /usr/share/doc/bind/README.Debian for information on the        
// structure of BIND configuration files in Debian for BIND versions 8.2.1      
// and later, *BEFORE* you customize this configuration file.                  
//                                                                              
                                                                               
options {                                                                      
        directory "/var/cache/bind";                                            
                                                                               
        // If there is a firewall between you and nameservers you want          
        // to talk to, you might need to uncomment the query-source            
        // directive below.  Previous versions of BIND always asked            
        // questions using port 53, but BIND 8.1 and later use an unprivileged  
        // port by default.                                                    
                                                                               
        // query-source address * port 53;                                      
                                                                               
        // If your ISP provided one or more IP addresses for stable            
        // nameservers, you probably want to use them as forwarders.            
        // Uncomment the following block, and insert the addresses replacing    
        // the all-0's placeholder.                                            
                                                                               
        forwarders {                                                            
                192.168.1.1;                                                    
                213.177.165.49;                                                
                213.177.165.57;                                                
                199.79.199.2;                                                  
        };                                                                      
};                                                                              
                                                                               
// reduce log verbosity on issues outside our control                          
logging {                                                                      
        category lame-servers { null; };                                        
        category cname { null; };                                              
};                                                                              
                                                                               
// prime the server with knowledge of the root servers                          
zone "." {                                                                      
        type hint;                                                              
        file "/etc/bind/db.root";                                              
};                                                                              
                                                                               
// be authoritative for the localhost forward and reverse zones, and for        
// broadcast zones as per RFC 1912                                              
                                                                               
zone "localhost" {                                                              
        type master;                                                            
        file "/etc/bind/db.local";                                              
};                                                                              
                                                                               
zone "127.in-addr.arpa" {                                                      
        type master;                                                            
        file "/etc/bind/db.127";                                                
};                                                                              
                                                                               
zone "0.in-addr.arpa" {                                                        
        type master;                                                            
        file "/etc/bind/db.0";                                                  
};                                                                              
                                                                               
zone "255.in-addr.arpa" {                                                      
        type master;                                                            
        file "/etc/bind/db.255";                                                
};                                                                              
                                                                               
// add entries for other zones below here                                      
                                                                               
zone "motorsport.co.ug" {                                                      
        type master;                                                            
        notify no;                                                              
                                                                               
        file "zones/motorsport.co.ug";                                          
0
 
LVL 40

Accepted Solution

by:
jlevie earned 150 total points
ID: 6928648
I see two things that need attention. First anytime a DNS server is behind a firewall or NAT box one usually needs 'query-source address * port 53; ' enabled. The second is that you haven't specified the IP of the hosts that are allowed to do a zone transfer from the server, which will cause an nslookup 'ls' or 'host -l' to be refused. From what I see in your zone file the relevant portions of your named.conf file should be:

zone "motorsport.co.ug" {                                                      
       type master;                                                            
       file "zones/motorsport.co.ug";                                          
       allow-transfer { 198.133.199.3; 198.133.199.4;
                        63.103.129.70; };
}
0
 
LVL 4

Expert Comment

by:svindler
ID: 6952098
As I mentioned in http://www.experts-exchange.com/routerswitch/Q.20286391.html please remember to close this question.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question