Solved

BIND DNS not allowing transfers thru cisco router?

Posted on 2002-04-08
6
456 Views
Last Modified: 2013-12-16
I've got a setup that consists of a cisco 1602 router & linux box, amongst other things.  I'd like the linux router to host a domain name and have set up the bind zone appropriately.  I have checked the daemon.log file & nslookup/dig internally to make sure that zone is set up correctly.

However, if I try and do a nslookup ls motorsport.co.ug to test transfer the domain, I get an error:

Can't list domain motorsport.co.ug : Unspecified error.  

This means of course that the domain info cannot be transfered elsewhere.

I have checked the router.  I have these couple of lines in the config script:

ip nat inside source static 192.168.1.246 213.177.164.134

ip nat inside source static tcp 192.168.1.245 53 213.177.164.134 53 extendable
ip nat inside source static udp 192.168.1.246 53 213.177.164.134 53 extendable

I have tried to debug ip nat traffic, from an external ip.  I see, as expected:

03:38:30: NAT: o: udp (53.103.129.70, 3030) -> (213.177.164.134, 53) [49431]

and

03:38:30: NAT: i: udp (192.168.1.246, 53) -> (53.103.129.70, 3030) [12231]

The question is, why are zone transfers not working.  DNS queries appear to work fine.


Attached zone file:

;
; Zone file for motorsport.co.ug
;
; The full zone file
;
$TTL 38400
@       IN      SOA     impalasoft.com. domainnames.impalamedia.com. (
                        200204085       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                IN  A   213.177.164.130                 ; default address
                NS      ns1.secondary.com.              ; Inet Address of name s
erver
                NS      ns1.impalasoft.com.;
                NS      ns2.secondary.com.;
                NS      apphost01.impalasoft.com.;
                                                     
                MX      10 mail.impalasoft.com.     ; Primary Mail Exchanger
;

www.motorsport.co.ug.    IN  CNAME  motorsport.co.ug.
ftp.motorsport.co.ug.  IN  CNAME  motorsport.co.ug.


Thanks

0
Comment
Question by:ossentoo
6 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6927530
I don't think you are allowed to create the same question in several topic areas. You have created the same question in:
http://www.experts-exchange.com/routerswitch/Q.20286391.html
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6928039
Do you have an "allow-transfer" directive in your bind configuration file?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6928050
Okay, this isn't a router problem. If it were you wouldn't be able to execute queries across the router. It sounds more like a configuration issue. Could I see the contents of your named.conf?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:ossentoo
ID: 6928388
Here you go.

// This is the primary configuration file for the BIND DNS server named.        
//                                                                              
// Please read /usr/share/doc/bind/README.Debian for information on the        
// structure of BIND configuration files in Debian for BIND versions 8.2.1      
// and later, *BEFORE* you customize this configuration file.                  
//                                                                              
                                                                               
options {                                                                      
        directory "/var/cache/bind";                                            
                                                                               
        // If there is a firewall between you and nameservers you want          
        // to talk to, you might need to uncomment the query-source            
        // directive below.  Previous versions of BIND always asked            
        // questions using port 53, but BIND 8.1 and later use an unprivileged  
        // port by default.                                                    
                                                                               
        // query-source address * port 53;                                      
                                                                               
        // If your ISP provided one or more IP addresses for stable            
        // nameservers, you probably want to use them as forwarders.            
        // Uncomment the following block, and insert the addresses replacing    
        // the all-0's placeholder.                                            
                                                                               
        forwarders {                                                            
                192.168.1.1;                                                    
                213.177.165.49;                                                
                213.177.165.57;                                                
                199.79.199.2;                                                  
        };                                                                      
};                                                                              
                                                                               
// reduce log verbosity on issues outside our control                          
logging {                                                                      
        category lame-servers { null; };                                        
        category cname { null; };                                              
};                                                                              
                                                                               
// prime the server with knowledge of the root servers                          
zone "." {                                                                      
        type hint;                                                              
        file "/etc/bind/db.root";                                              
};                                                                              
                                                                               
// be authoritative for the localhost forward and reverse zones, and for        
// broadcast zones as per RFC 1912                                              
                                                                               
zone "localhost" {                                                              
        type master;                                                            
        file "/etc/bind/db.local";                                              
};                                                                              
                                                                               
zone "127.in-addr.arpa" {                                                      
        type master;                                                            
        file "/etc/bind/db.127";                                                
};                                                                              
                                                                               
zone "0.in-addr.arpa" {                                                        
        type master;                                                            
        file "/etc/bind/db.0";                                                  
};                                                                              
                                                                               
zone "255.in-addr.arpa" {                                                      
        type master;                                                            
        file "/etc/bind/db.255";                                                
};                                                                              
                                                                               
// add entries for other zones below here                                      
                                                                               
zone "motorsport.co.ug" {                                                      
        type master;                                                            
        notify no;                                                              
                                                                               
        file "zones/motorsport.co.ug";                                          
0
 
LVL 40

Accepted Solution

by:
jlevie earned 150 total points
ID: 6928648
I see two things that need attention. First anytime a DNS server is behind a firewall or NAT box one usually needs 'query-source address * port 53; ' enabled. The second is that you haven't specified the IP of the hosts that are allowed to do a zone transfer from the server, which will cause an nslookup 'ls' or 'host -l' to be refused. From what I see in your zone file the relevant portions of your named.conf file should be:

zone "motorsport.co.ug" {                                                      
       type master;                                                            
       file "zones/motorsport.co.ug";                                          
       allow-transfer { 198.133.199.3; 198.133.199.4;
                        63.103.129.70; };
}
0
 
LVL 4

Expert Comment

by:svindler
ID: 6952098
As I mentioned in http://www.experts-exchange.com/routerswitch/Q.20286391.html please remember to close this question.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Xymon customize http timeout 2 86
gdb doesn't stop on breakpoint 2 68
How to install Ubuntu 16 in DELL venue 8 pro 20 153
linux - yum package installation issue 2 10
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question