Solved

BIND zone transfers not working

Posted on 2010-11-23
14
1,403 Views
Last Modified: 2012-05-10
I am working with two primary DNS servers that host records for numerous domains. Currently the process is to update the named.conf on both manually and copy the zone files to both manually.

What I would like to happen is to make the change on NS1 (10.0.1.189) and have it replicate to the other DNS servers. It looks like it is setup this way, however I manually created a zone file on NS1 and it did not get copied to NS2.

Below is part of my named.conf, let me know if you need any other information please.
acl "xfer" {

none; PUBLIC IP; 10.0.1.189; PUBLIC IP; 10.0.1.188; 

// Allow no transfers.  Other NS we own go here



};



acl "trusted" {

//location of our intranet and internal subnets that may need query

// our outside ip

localhost; PUBLIC IP; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189; 10.0.1.187;

};



//DOS attack prevention

notify no;

//



dnssec-enable yes;



// Generate more efficient transfers

transfer-format many-answers;

//



//Max zone transfer time in minutes

max-transfer-time-in 60;

//





//Limit zone transfers to transfer ACL only



allow-transfer { xfer; };





//No dynamic interface so no need for poll state

interface-interval 0;



// global option set to only allow queries from acl trusted.

// explicitly allow hosted zones below

//

allow-query { trusted; };



//global option to prevent recursion except internally

allow-recursion { trusted; };



};



zone "domain.com" in {

                type master;

                file "db_files_external/db.domain.com";

                allow-query { any; };

                allow-update { none; };

                notify yes;

                allow-transfer { { trusted; };

                };

                };

Open in new window

0
Comment
Question by:ThorinO
  • 7
  • 6
14 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 416 total points
Comment Utility

Can we see the Secondary server configuration as well?

From the secondary server, can you verify you can run either of these?

nslookup
server primary-server
ls -d domain.com

Or:

dig domain.com axfr @primary-server

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
It is pretty much the same, below is the only difference and the only thing that changes is that it is missing 1 public/private IP from the list. Everything else seems to be the same.
acl "xfer" {

none; PUBLIC IP; 10.0.1.189; 

// Allow no transfers.  Other NS we own go here



};



acl "trusted" {

//location of our intranet and internal subnets that may need query

// our outside ip

localhost; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189;

};

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Except for the zone definition I hope? :)

The command above should test the zone transfer in principal. If that works then so should the real transfer. If it doesn't, you'll either need to look at the ACLs, or at network access between servers. Remember that zone transfers need TCP Port 53, not just UDP.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
The zones look the same on both servers, like the one below.

When I run the dig command you provided the transfer fails. Both of the name servers are on the same network so I ran "dig domain.com axfr @10.0.1.189"
zone "domain.com" in {

                type master;

                file "db_files_external/db.domain.com";

                allow-query { any; };

                allow-update { none; };

                notify yes;

                allow-transfer { { trusted; };

                };

                };

Open in new window

0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
Comment Utility
> The zones look the same on both servers, like the one below.

One needs to be configured as Secondary (slave) if you expect this to be automatic within DNS (using Zone Transfers). Otherwise you'll be looking at a replication technique outside of DNS, whether that's rsync or something else.

Is the extra curly brace pair on your allow-transfer statement a typo here? Or a typo in named.conf? That is, I would expect:
zone "domain.com" in {
  type master;
  file "db_files_external/db.domain.com";
  allow-query { any; };
  allow-update { none; };
  notify yes;
  allow-transfer { trusted; };
};

Open in new window

You will need axfr to work as well, but that may be caused by the potential error in allow-transfer.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
I assume that the extra bracket is a typo, I have no idea though as I did not set them up.

How should zone look on NS2, I assume type needs to be slave instead of master?

What else besides changing that would I need to do to get things working correct?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
Comment Utility
Yep, you're right. Lets see, something like this.
zone "domain.com" in {
  type slave;
  file "db_files_external/db.domain.com";
  allow-query { any; };
};

Open in new window

Make the change to the allow-transfer rule on the primary first, then check you can transfer the zone using dig (axfr). If you can't, does dig give you a "REFUSED" response? Or timeout? Or something else?

Chris
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 10

Author Comment

by:ThorinO
Comment Utility
It just said FAILED, so the dig command you gave me is a way to force the transfer?

So should I be able to create the test zone information then create the actual zone file and it should copy that physical file to NS2?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
Comment Utility

A zone transfer is just another type of query, a special one but it's just a matter of getting the question right. That's what we do when we tell dig to ask for AXFR (it goes into the record type field in the query).

If you're going for a slave you won't need to copy the file over, it'll sort itself out.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
What about named.conf, do I need to update that on both sides or will it copy itself over to NS2?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
Comment Utility

Both sides, there's no replication mechanism for named.conf within DNS.

The scenario we're playing with here has two entirely separate DNS servers that just happen to share a copy of a zone, where one of the servers is the boss. They don't have more interaction than that.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
Comment Utility
Is there a better way to accomplish what I am trying to do here. I am used to Windows DNS in that you make a change on one and it replicates to the other.

Basically what I am trying to accomplish is two-fold.

1. Make it so editing only needs to occur on 1 server
2. Those changes made on NS1 get automatically copied to NS2 and NS3
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
> I am used to Windows DNS in that you make a change on one and it replicates to the other.

Only if you use AD Integrated Zones. Basically the replication mechanism is taken out of the hands of the DNS server, DNS only loads the zone from there, a common source. It's a reasonable mechanism, but not at all suitable for public DNS zones.

What you intend is fine using the primary / secondary model, you just need to be aware that the initial setup needs to be done on each server.

You can find options that have a greater degree of automation, you tend to get what you pay for in that respect. I've often wondered what InfoBlox offers for public DNS services, but they aren't free :)

I'll have a look at your files in more detail and see if I can see anything that migt prevent transfer.

Chris
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 84 total points
Comment Utility
If you are using windows DNS, as Chris-Dent pointed out in comment ID 34200438 make sure the zone is AD integrated and it will replicate among the DNS servers in the domain.  

If you are still managing it within bind which:

In the comment by Chris-Dent #34200021

The slave designation for the zone is correct, the problem is that it is missing the designation where the master server is
masters ip_of_master;

IMHO, There is no need to add a per zone allow-query {any;}; or allow-transfer {xfer;}; , if you define it correctly globally.
Do not disable notify as this is the way by which the master server notifies the subordinates that an update to a zone has occurred (based on the NS records in the zone file).  You would still need to use the master configuration and convert it into the subordinate configuration prior to transferring it. by replacing the type master with the type slave and adding the masters line.

The location of the file is not as important given one server will be the master and the other being the slave, there will not exist a possibility that the slave server will have a zone that does not exist on the master.  You could of course as part of the data conversion script alter the path of the location of the file on the NS2.

Should the master server fail for any reason, the data on the slave can be used as the new master by altering the configuration back i.e. replacing the type slave and masters line with type master;

The zone file will be in bind format which would be organized if there are subdomains defined withing.

Within the main configuration, you have acl defined,
but I do not see the opening options set where the allow-transfer,allow query, etc. would be defined.  I see the parameter settings themselves and presume the absence is merely a typo when copying and pasting the data.
zone "domain.com" in {
  type slave;
  masters {10.0.1.189; };
  file "db_files_external/db.domain.com";
  allow-query { any; };
};

Open in new window

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SBS 20011 to Office 365 7 49
Is this bug still active in RHEL 2 28
linux boot fsck problem 3 43
Secondary DC 3 10
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Resolve DNS query failed errors for Exchange
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now