ossentoo
asked on
BIND DNS not allowing transfers thru cisco router?
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things. I'd like the linux router to host a domain name and have set up the bind zone appropriately. I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.
However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:
Can't list domain motorsport.co.ug : Unspecified error.
This means of course that the domain info cannot be transfered elsewhere.
I have checked the router. I have these couple of lines in the config script:
ip nat inside source static 192.168.1.246 213.177.164.134
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
I have tried to debug ip nat traffic, from an external ip. I see, as expected:
03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]
and
03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]
The question is, why are zone transfers not working. DNS queries appear to work fine.
Attached zone file:
;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@ IN SOA impalasoft.com. domainnames.impalamedia.co m. (
200204085 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
IN A 213.177.164.130 ; default address
NS ns1.secondary.com. ; Inet Address of name s
erver
NS ns1.impalasoft.com.;
NS ns2.secondary.com.;
NS apphost01.impalasoft.com.;
MX 10 mail.impalasoft.com. ; Primary Mail Exchanger
;
www.motorsport.co.ug. IN CNAME motorsport.co.ug.
ftp.motorsport.co.ug. IN CNAME motorsport.co.ug.
Thanks
However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:
Can't list domain motorsport.co.ug : Unspecified error.
This means of course that the domain info cannot be transfered elsewhere.
I have checked the router. I have these couple of lines in the config script:
ip nat inside source static 192.168.1.246 213.177.164.134
ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable
I have tried to debug ip nat traffic, from an external ip. I see, as expected:
03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]
and
03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]
The question is, why are zone transfers not working. DNS queries appear to work fine.
Attached zone file:
;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@ IN SOA impalasoft.com. domainnames.impalamedia.co
200204085 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
IN A 213.177.164.130 ; default address
NS ns1.secondary.com. ; Inet Address of name s
erver
NS ns1.impalasoft.com.;
NS ns2.secondary.com.;
NS apphost01.impalasoft.com.;
MX 10 mail.impalasoft.com. ; Primary Mail Exchanger
;
www.motorsport.co.ug. IN CNAME motorsport.co.ug.
ftp.motorsport.co.ug. IN CNAME motorsport.co.ug.
Thanks
Do you have an "allow-transfer" directive in your bind configuration file?
Okay, this isn't a router problem. If it were you wouldn't be able to execute queries across the router. It sounds more like a configuration issue. Could I see the contents of your named.conf?
ASKER
Here you go.
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README .Debian for information on the
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, *BEFORE* you customize this configuration file.
//
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.1.1;
213.177.165.49;
213.177.165.57;
199.79.199.2;
};
};
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
category cname { null; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "motorsport.co.ug" {
type master;
notify no;
file "zones/motorsport.co.ug";
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, *BEFORE* you customize this configuration file.
//
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.1.1;
213.177.165.49;
213.177.165.57;
199.79.199.2;
};
};
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
category cname { null; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "motorsport.co.ug" {
type master;
notify no;
file "zones/motorsport.co.ug";
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As I mentioned in https://www.experts-exchange.com/routerswitch/Q.20286391.html please remember to close this question.
https://www.experts-exchange.com/routerswitch/Q.20286391.html