Solved

BIND DNS not allowing transfers thru cisco router?

Posted on 2002-04-08
6
459 Views
Last Modified: 2013-12-16
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things.  I'd like the linux router to host a domain name and have set up the bind zone appropriately.  I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.

However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:

Can't list domain motorsport.co.ug : Unspecified error.  

This means of course that the domain info cannot be transfered elsewhere.

I have checked the router.  I have these couple of lines in the config script:

ip nat inside source static 192.168.1.246 213.177.164.134

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I have tried to debug ip nat traffic, from an external ip.  I see, as expected:

03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]

and

03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]

The question is, why are zone transfers not working.  DNS queries appear to work fine.


Attached zone file:

;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@       IN      SOA     impalasoft.com. domainnames.impalamedia.com. (
                        200204085       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                IN  A   213.177.164.130                 ; default address
                NS      ns1.secondary.com.              ; Inet Address of name s
erver
                NS      ns1.impalasoft.com.;
                NS      ns2.secondary.com.;
                NS      apphost01.impalasoft.com.;
                                                     
                MX      10 mail.impalasoft.com.     ; Primary Mail Exchanger
;

www.motorsport.co.ug.    IN  CNAME  motorsport.co.ug.
ftp.motorsport.co.ug.  IN  CNAME  motorsport.co.ug.


Thanks

0
Comment
Question by:ossentoo
6 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6927530
I don't think you are allowed to create the same question in several topic areas. You have created the same question in:
http://www.experts-exchange.com/routerswitch/Q.20286391.html
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6928039
Do you have an "allow-transfer" directive in your bind configuration file?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6928050
Okay, this isn't a router problem. If it were you wouldn't be able to execute queries across the router. It sounds more like a configuration issue. Could I see the contents of your named.conf?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:ossentoo
ID: 6928388
Here you go.

// This is the primary configuration file for the BIND DNS server named.        
//                                                                              
// Please read /usr/share/doc/bind/README.Debian for information on the        
// structure of BIND configuration files in Debian for BIND versions 8.2.1      
// and later, *BEFORE* you customize this configuration file.                  
//                                                                              
                                                                               
options {                                                                      
        directory "/var/cache/bind";                                            
                                                                               
        // If there is a firewall between you and nameservers you want          
        // to talk to, you might need to uncomment the query-source            
        // directive below.  Previous versions of BIND always asked            
        // questions using port 53, but BIND 8.1 and later use an unprivileged  
        // port by default.                                                    
                                                                               
        // query-source address * port 53;                                      
                                                                               
        // If your ISP provided one or more IP addresses for stable            
        // nameservers, you probably want to use them as forwarders.            
        // Uncomment the following block, and insert the addresses replacing    
        // the all-0's placeholder.                                            
                                                                               
        forwarders {                                                            
                192.168.1.1;                                                    
                213.177.165.49;                                                
                213.177.165.57;                                                
                199.79.199.2;                                                  
        };                                                                      
};                                                                              
                                                                               
// reduce log verbosity on issues outside our control                          
logging {                                                                      
        category lame-servers { null; };                                        
        category cname { null; };                                              
};                                                                              
                                                                               
// prime the server with knowledge of the root servers                          
zone "." {                                                                      
        type hint;                                                              
        file "/etc/bind/db.root";                                              
};                                                                              
                                                                               
// be authoritative for the localhost forward and reverse zones, and for        
// broadcast zones as per RFC 1912                                              
                                                                               
zone "localhost" {                                                              
        type master;                                                            
        file "/etc/bind/db.local";                                              
};                                                                              
                                                                               
zone "127.in-addr.arpa" {                                                      
        type master;                                                            
        file "/etc/bind/db.127";                                                
};                                                                              
                                                                               
zone "0.in-addr.arpa" {                                                        
        type master;                                                            
        file "/etc/bind/db.0";                                                  
};                                                                              
                                                                               
zone "255.in-addr.arpa" {                                                      
        type master;                                                            
        file "/etc/bind/db.255";                                                
};                                                                              
                                                                               
// add entries for other zones below here                                      
                                                                               
zone "motorsport.co.ug" {                                                      
        type master;                                                            
        notify no;                                                              
                                                                               
        file "zones/motorsport.co.ug";                                          
0
 
LVL 40

Accepted Solution

by:
jlevie earned 150 total points
ID: 6928648
I see two things that need attention. First anytime a DNS server is behind a firewall or NAT box one usually needs 'query-source address * port 53; ' enabled. The second is that you haven't specified the IP of the hosts that are allowed to do a zone transfer from the server, which will cause an nslookup 'ls' or 'host -l' to be refused. From what I see in your zone file the relevant portions of your named.conf file should be:

zone "motorsport.co.ug" {                                                      
       type master;                                                            
       file "zones/motorsport.co.ug";                                          
       allow-transfer { 198.133.199.3; 198.133.199.4;
                        63.103.129.70; };
}
0
 
LVL 4

Expert Comment

by:svindler
ID: 6952098
As I mentioned in http://www.experts-exchange.com/routerswitch/Q.20286391.html please remember to close this question.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question