"Access denied" from AD to a BIND Server.

I've set the BIND server and the AD. I have a MSDNS configured in the AD settings, and now I added the BIND Server v 9.2.2, but I get a "Access Denied: You don't have permission to access this DNS Server" from the AD DNS Settings Panel when I add it or when I click on the icon for details.

The Server Icon displays a "not available" sign (just like MSN Messenger does). :(

I think it is a BIND configuration problem, but I have it set as my DNS and works fine (for my computer, not for AD).

I used Nslookup and got these lines:

--- START  ---
C:\>Nslookup
Default Server:  redhat_server
Address:  192.168.100.3

www.experts-exchange.com
Server:  redhat_server
Address:  192.168.100.3

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.140
Aliases:  www.experts-exchange.com

--- END ---

So, I only see thay Non-authoritative answer... that I don't know how to set it to an Authoritative one.

I feel like I'm grasping the surface here... but right now, I'm stuck. :S heeeeeelp!

Any idea?
LVL 2
mmarthaAsked:
Who is Participating?
 
KaiserSoseConnect With a Mentor Commented:
Have you set permissions on who can query the server?   Its in named.conf...     something like   allow-query{ all };

dave
0
 
KaiserSoseCommented:
or even better, add

allow-transfer { IP ADDRESS };

to your zone

dave
0
 
KaiserSoseCommented:
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
mmarthaAuthor Commented:
this is my named.conf

-- START --
logging {
      category lame-servers { null; };
      category cname { null; };
};

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */

query-source address * port 53;
      
      // forward only;

      allow-query { any; };
};

controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
 };

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
      type master;
      file "db.100.168.192.in-addr.arpa";
      allow-update { 192.168.100.2; };
};

zone "domain1" {
      type master;
      file "/var/named/domain1.hosts";
      allow-query { any; };
      allow-transfer { 192.168.100.2; };
};

-- END --

I added the allow-transfer tag, restarted the named service (/etc/init.d/named restart) but I still get the Access Denied msg.

192.168.100.2 is the AD server.

should I post the zone and reverse files? (domain1.hosts, db.100.168.192.in-addr.arpa, localhost.zone, named.local)
0
 
KaiserSoseCommented:
Everything looks ok there,  maybe it's something to do with the rndc key,  I have never bothered with that part so I don't know much about it.
0
 
mmarthaAuthor Commented:
Well.. I thought about the rndc too, but whenever there's an rndc key problem  you get a "Connection refused" message from the rndc controls while trying to [start | restart] the named service. I generated a new key (dnskeygen -H 128 -h -n newkey.) and copied the key from the 'Knew.key.+157+00000.key' into the /etc/rndc.key file and didn't change the configs in rndc.conf or named.conf so I had those ERR msgs. Now, maybe I don't knkow something about rndc, but since I can [start | restart] the named service I think there's no problem with rndc anymore.
0
 
pablouruguayCommented:
you need to have the port 995 open to use keys. like this.

iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
0
 
pablouruguayCommented:
im sorry im confused is the por 953  tcp/udp

0
 
mmarthaAuthor Commented:
I did a nmap to the BINDS and the ADS servers and the port 953 is open in both.
0
 
KaiserSoseCommented:
I don't think it's the rndc key.   Do you have any other BIND servers you can test on?
0
 
mmarthaAuthor Commented:
I'll setup one with the following configuration:
(From http://www.experts-exchange.com/Networking/Linux_Networking/Q_21143866.html)

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

      // query-source address * port 53;
     
     // forward only;

     allow-query { any; };
     allow-transfer { any; };
};

controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

//Zone entry for my Active Directory domain ad.mydom.com.

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { any; };
     allow-transfer { any; };
     allow-query { any; };
};

zone "linuxlab.grupochamberlain.com" {
     type master;
     file "/var/named/linuxlab.grupochamberlain.com.hosts";
     allow-query { any; };
     allow-transfer { any; };
     allow-update { any; };
};
0
 
mmarthaAuthor Commented:
I'll close the question. Thanks for the advices.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.