Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

"Access denied" from AD to a BIND Server.

I've set the BIND server and the AD. I have a MSDNS configured in the AD settings, and now I added the BIND Server v 9.2.2, but I get a "Access Denied: You don't have permission to access this DNS Server" from the AD DNS Settings Panel when I add it or when I click on the icon for details.

The Server Icon displays a "not available" sign (just like MSN Messenger does). :(

I think it is a BIND configuration problem, but I have it set as my DNS and works fine (for my computer, not for AD).

I used Nslookup and got these lines:

--- START  ---
C:\>Nslookup
Default Server:  redhat_server
Address:  192.168.100.3

www.experts-exchange.com
Server:  redhat_server
Address:  192.168.100.3

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.140
Aliases:  www.experts-exchange.com

--- END ---

So, I only see thay Non-authoritative answer... that I don't know how to set it to an Authoritative one.

I feel like I'm grasping the surface here... but right now, I'm stuck. :S heeeeeelp!

Any idea?
0
mmartha
Asked:
mmartha
  • 5
  • 5
  • 2
1 Solution
 
KaiserSoseCommented:
Have you set permissions on who can query the server?   Its in named.conf...     something like   allow-query{ all };

dave
0
 
KaiserSoseCommented:
or even better, add

allow-transfer { IP ADDRESS };

to your zone

dave
0
 
KaiserSoseCommented:
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
mmarthaAuthor Commented:
this is my named.conf

-- START --
logging {
      category lame-servers { null; };
      category cname { null; };
};

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */

query-source address * port 53;
      
      // forward only;

      allow-query { any; };
};

controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
 };

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
      type master;
      file "db.100.168.192.in-addr.arpa";
      allow-update { 192.168.100.2; };
};

zone "domain1" {
      type master;
      file "/var/named/domain1.hosts";
      allow-query { any; };
      allow-transfer { 192.168.100.2; };
};

-- END --

I added the allow-transfer tag, restarted the named service (/etc/init.d/named restart) but I still get the Access Denied msg.

192.168.100.2 is the AD server.

should I post the zone and reverse files? (domain1.hosts, db.100.168.192.in-addr.arpa, localhost.zone, named.local)
0
 
KaiserSoseCommented:
Everything looks ok there,  maybe it's something to do with the rndc key,  I have never bothered with that part so I don't know much about it.
0
 
mmarthaAuthor Commented:
Well.. I thought about the rndc too, but whenever there's an rndc key problem  you get a "Connection refused" message from the rndc controls while trying to [start | restart] the named service. I generated a new key (dnskeygen -H 128 -h -n newkey.) and copied the key from the 'Knew.key.+157+00000.key' into the /etc/rndc.key file and didn't change the configs in rndc.conf or named.conf so I had those ERR msgs. Now, maybe I don't knkow something about rndc, but since I can [start | restart] the named service I think there's no problem with rndc anymore.
0
 
pablouruguayCommented:
you need to have the port 995 open to use keys. like this.

iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
0
 
pablouruguayCommented:
im sorry im confused is the por 953  tcp/udp

0
 
mmarthaAuthor Commented:
I did a nmap to the BINDS and the ADS servers and the port 953 is open in both.
0
 
KaiserSoseCommented:
I don't think it's the rndc key.   Do you have any other BIND servers you can test on?
0
 
mmarthaAuthor Commented:
I'll setup one with the following configuration:
(From http://www.experts-exchange.com/Networking/Linux_Networking/Q_21143866.html)

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

      // query-source address * port 53;
     
     // forward only;

     allow-query { any; };
     allow-transfer { any; };
};

controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

//Zone entry for my Active Directory domain ad.mydom.com.

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { any; };
     allow-transfer { any; };
     allow-query { any; };
};

zone "linuxlab.grupochamberlain.com" {
     type master;
     file "/var/named/linuxlab.grupochamberlain.com.hosts";
     allow-query { any; };
     allow-transfer { any; };
     allow-update { any; };
};
0
 
mmarthaAuthor Commented:
I'll close the question. Thanks for the advices.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now