?
Solved

Primary Linux DNS doesnt propagate zones to secondary DNS Linux

Posted on 2006-06-05
31
Medium Priority
?
1,004 Views
Last Modified: 2010-03-19
Hi ,
I have a primary DNS (NS1 , with ip  i.e 1.1.1.1 and a secondary DNS (samba) with IP i.e 2.2.2.2)

here is how i have set the zones:

NS1.

options {
directory "/var/named;
allow-recursion { .........};
listen on { ......... }
} ;

zone "zone.com " in  {

type master;
file  "zone.txt ";
allow-transfer { ........};
};


the Slave config. is as follows :

zone "zone.com" in {
type slave ;
file "zone.com"
masters {1.1.1.1} ;     //the  Master's IP
allow transfer


the issues i have are :

1. i cannot see the zone.txt on the slave (Master doesnt transfer the zone )
2. No firewalls or IPtables are configured
3. I cannot do resolution for machines whinin the microsoft domain
4. Both Ns1 and Samba havent joined the Microsft domain
5. Tha master DNS has the command  ' allow recusrion '


Any ideas ?

0
Comment
Question by:c_hockland
  • 15
  • 9
  • 5
  • +1
30 Comments
 
LVL 26

Assisted Solution

by:jar3817
jar3817 earned 1000 total points
ID: 16833284
Make sure you have allow-transfer {2.2.2.2;}; in the zone declaration on the master.  I see you have an allow-transfer{} in there, but not sure what "........" is.

In my config file i use "recursion yes;" or "recursion no;" rather than allow recursion like you have. Might be something to try. If your clients are set to use both nameservers, both of them need to allow recursion, not just the master.

Have you tried restarting the dns daemon to initiate the zone transfer? Is there anything in the log files?
0
 

Author Comment

by:c_hockland
ID: 16833963
Yes i have allow transfer on the named.conf (master DNS )  on every zone.We have almost 15 zones.
I have restarted the primary DNS service.

For now , i have the clients to use the primary DNS server. I need to test and verify thatthe secondary works ( do nslookups, or dig ) beofre i utilize it.

I have just restarted the primary dns , how long does it take to replicate?

0
 

Author Comment

by:c_hockland
ID: 16834050
Also , do i need to copy the  reverse.127.0.0  , cache.root files on the slave server ?

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 26

Expert Comment

by:jar3817
ID: 16834138
You need to restart the secondary to initiate the zone transfer. You should see it happen within a few seconds of the restart.

Both servers need accurate root hints, so yes you should copy the cache.root. As for the localhost zone, meh, it's up to you.
0
 

Author Comment

by:c_hockland
ID: 16834473
where can i find the root hints file  (cache.root) under which folder ?
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16834725
It depends on your setup. Look in named.conf for the "directory" keyword, it'll tell you where bind looks for files. Then look at the "." zone for the actual file name. The secondary probably is already set for the root hints...but it's a good thing to check.

I've seen /var/named/named.root as a default before...might still be.
0
 

Author Comment

by:c_hockland
ID: 16835066
ok , here is what i see on the primary DNS
option {

directory "/var/named ";
allow-recursion ...etc
listen on ..etc

zone "." in {
type hint
file "root.txt"

but under the /var/named i see named.local , named.ca  
dont see root.txt  or named.root
I also restarted both dns servers and no replication as of yet....

0
 

Author Comment

by:c_hockland
ID: 16835104
i see root.txt ..sorry , but it has the root hint in it..
0
 

Author Comment

by:c_hockland
ID: 16835804
Also , we have 10 -15 zones on the rpimary dns. On each of these zones i added the NS record withthe name and then an A record with the IP of the slave server. I restarted BOTH servers (master and slave) and still no replication. The master can ping the salve and vice versa.
When i added the NS recod on the master i did   "   NS   Samba.ourdomain.com " 
however samba hasnt joined the domain  (but this is how i saw it on the master server - it has an  NS   NS1.ourdomain.com "   and NS1 hasnt joined the microsoft domain..

Any ideas?
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16835859
Your AD domain has nothing to do with your dns replication. Do you see anything about the zone transfer in your log files? Like the secondary trying, but failing? Remember that normal dns traffic is on UDP/53 but zone transfers happen on TCP/53.  Make sure TCP/53 is open on the firewall of your master.
0
 

Author Comment

by:c_hockland
ID: 16835926
ok two questions :

1. how can i check if tcp/53 is open on the master ?
2. where (which file) is the log so as to do vi...and see whats happening ?

thanks so much for your help!
0
 

Author Comment

by:c_hockland
ID: 16835960
when i do netstat -a i see  udp/52 established , but i dont see 53 port (listening/established) If that means it is blocked how can i enable it?

Also how can i check the log files ?
0
 

Author Comment

by:c_hockland
ID: 16835998
when i go to /etc/syslog and i open both log files master/slave i dont see anything refering to dns replication...
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16836016
You probably won't see :53 but rather :domain. Try /sbin/iptables-save, that command should spit out all your iptables firewall rules. You should see something about TCP and 53. The output on my nameserver looks like this:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT

If not, you'll need to add a similar rule to allow the traffic. Try looking in /var/log/messages to see if there are any errors related to the zone transfer. Look both on the master and the slave.
0
 

Author Comment

by:c_hockland
ID: 16836130
ok , on the iptables i dont see anything regarding the dport 53 -j Accept. I will go ahead and add it (on the Master server right ? ) or at slave ?


0
 
LVL 26

Expert Comment

by:jar3817
ID: 16836163
Add them on both the master and slave. You'll need one rule for udp (dns resolution) and one rule for tcp (zone transfers and big queries).
 
0
 
LVL 20

Expert Comment

by:brwwiggins
ID: 16836303
I would also look into adding a notify statement so that your master servers will notify the slave that a change has been made and the slaves will update in more timely fashion. Just a recommendation...
0
 

Author Comment

by:c_hockland
ID: 16836658
where is the iptables conf file so i can go and add the  -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT statement?
0
 

Author Comment

by:c_hockland
ID: 16837173
i have added the command  

 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT on both servers , i will restart both master and slave and let you know
0
 

Author Comment

by:c_hockland
ID: 16837253
ok, the latest update...

i have added the above command and restarted first the dns on the master and then the slave.

on the /var/named/  i dont see the zone files from the master server....

any ideas?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16839699
on 2.2.2.2 run:

dig @1.1.1.1 zone.com axfr

This should tell you if the transfers will work (should 2.2.2.2 ever decide to request a transfer)

Cheers,
-Jon
0
 

Author Comment

by:c_hockland
ID: 16843109
Captain ,

i did the dig command and it said " transfer failed "

i am getting desperate..please help!!!
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 1000 total points
ID: 16846488
>i did the dig command and it said " transfer failed "

OK, this points to a config problem on 1.1.1.1.  It generally means that the DNS server at 1.1.1.1 heard your request, and denied it (as opposed to a network issue preventing your request from reaching 1.1.1.1, or 1.1.1.1 simply ignoring your requests).

Here is an actual sample that I set up to test this (obviously, I changed my local IP to "my.local.test.ip" before posting it here):

zone "0.0.127.in-addr.arpa" {
        type master;
        file "named.local";
        allow-transfer {my.local.test.ip;};
};

This works, as you can see:


dig @my.master.dns.server 0.0.127.in-addr.arpa axfr

; <<>> DiG 9.2.1 <<>> @my.master.dns.server 0.0.127.in-addr.arpa axfr
;; global options:  printcmd
0.0.127.in-addr.arpa.   86400   IN      SOA     localhost. root.localhost. 1997022700 28800 14400 3600000 86400
0.0.127.in-addr.arpa.   86400   IN      NS      localhost.
1.0.0.127.in-addr.arpa. 86400   IN      PTR     localhost.
0.0.127.in-addr.arpa.   86400   IN      SOA     localhost. root.localhost. 1997022700 28800 14400 3600000 86400
;; Query time: 45 msec
;; SERVER: master.dns.server.ip#53(my.master.dns.server)
;; WHEN: Tue Jun  6 15:36:09 2006
;; XFR size: 5 records



adjusting my.local.test.ip to the wrong IP yields:

dig @my.master.dns.server 0.0.127.in-addr.arpa axfr

; <<>> DiG 9.2.1 <<>> @my.master.dns.server 0.0.127.in-addr.arpa axfr
;; global options:  printcmd
; Transfer failed.

So, you likely either do not have a

       allow-transfer {my.local.test.ip;};

statement in the zone definition you are trying to transfer, or you have the wrong IP in there.


On 1.1.1.1 run:

tcpdump -l -n -i any 'tcp port 53'

and then run the dig command on 2.2.2.2 (leave tcpdump running on 1.1.1.1 while you do).  What does tcpdump on 1.1.1.1 say the IP trying to attempt the transfer actually is?

Cheers,
-Jon

0
 
LVL 26

Expert Comment

by:jar3817
ID: 16847987
...and that is exactly what I said in the FIRST post of this question. Enjoy your points.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16848089
So, what was the eventual issue?

-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16848127
jar - as a PE, I don't really need pts (Premium access is given to all PEs) - the only purpose they serve anymore is to increase the pts total for things like "Top 15", Master, Guru, etc status...

If you want, I can re-open this for a pt split, but I think I put quite a bit more work into this after all...

Cheers,
-Jon
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16851504
no no, don't sweat it, I was just irritated over how much time i spent on this one and that my first suggestion was the one that should have solved it. And someone else getting the points for it was just icing on the cake.
0
 
LVL 26

Expert Comment

by:jar3817
ID: 16855729
thanks, but really not necessary.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16856614
Hey, part of my (volunteer) job as PE is to make sure everyone is warm and fuzzy.  Besides, splitting some pts with you here might lead to a more detailed explanation in the future.  

I can't count the number of times back in the old days before I was asked to be a PE that I'd post right off the bat with "your problem is almost certainly X", and then later some junior member would pipe up and explain what X was, and how exactly to determine if it is indeed X, and how to get rid of X, and then get awarded pts (this was before the interface allowed for splitting - all splits had to be handled by admins, as PEs did not exist either).  Funny how things work out.

Cheers,
-Jon


0
 

Author Comment

by:c_hockland
ID: 16858395
hey Folks ,
with a taste of dismay i see that even the 'experts' can deal with micromanagement. Life is too short to argue for some points...enjoy your life and seize your day....
My God , 2 years in Kosovo with the 32 marine Brigade (seeing little children starving) taught me that everything else in life is insignificant....
I apologize for creating this disturbance. You all are doing a great job...this site is a fun place , and very educational...please set the paragon for us (the mortal ones)
Peace my Brothers...

Nick.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question