Solved

BIND zone transfers not working

Posted on 2010-11-23
14
1,426 Views
Last Modified: 2012-05-10
I am working with two primary DNS servers that host records for numerous domains. Currently the process is to update the named.conf on both manually and copy the zone files to both manually.

What I would like to happen is to make the change on NS1 (10.0.1.189) and have it replicate to the other DNS servers. It looks like it is setup this way, however I manually created a zone file on NS1 and it did not get copied to NS2.

Below is part of my named.conf, let me know if you need any other information please.
acl "xfer" {
none; PUBLIC IP; 10.0.1.189; PUBLIC IP; 10.0.1.188; 
// Allow no transfers.  Other NS we own go here

};

acl "trusted" {
//location of our intranet and internal subnets that may need query
// our outside ip
localhost; PUBLIC IP; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189; 10.0.1.187;
};

//DOS attack prevention
notify no;
//

dnssec-enable yes;

// Generate more efficient transfers
transfer-format many-answers;
//

//Max zone transfer time in minutes
max-transfer-time-in 60;
//


//Limit zone transfers to transfer ACL only

allow-transfer { xfer; };


//No dynamic interface so no need for poll state
interface-interval 0;

// global option set to only allow queries from acl trusted.
// explicitly allow hosted zones below
//
allow-query { trusted; };

//global option to prevent recursion except internally
allow-recursion { trusted; };

};

zone "domain.com" in {
                type master;
                file "db_files_external/db.domain.com";
                allow-query { any; };
                allow-update { none; };
                notify yes;
                allow-transfer { { trusted; };
                };
                };

Open in new window

0
Comment
Question by:ThorinO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 416 total points
ID: 34199698

Can we see the Secondary server configuration as well?

From the secondary server, can you verify you can run either of these?

nslookup
server primary-server
ls -d domain.com

Or:

dig domain.com axfr @primary-server

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34199739
It is pretty much the same, below is the only difference and the only thing that changes is that it is missing 1 public/private IP from the list. Everything else seems to be the same.
acl "xfer" {
none; PUBLIC IP; 10.0.1.189; 
// Allow no transfers.  Other NS we own go here

};

acl "trusted" {
//location of our intranet and internal subnets that may need query
// our outside ip
localhost; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189;
};

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34199774

Except for the zone definition I hope? :)

The command above should test the zone transfer in principal. If that works then so should the real transfer. If it doesn't, you'll either need to look at the ACLs, or at network access between servers. Remember that zone transfers need TCP Port 53, not just UDP.

Chris
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 10

Author Comment

by:ThorinO
ID: 34199819
The zones look the same on both servers, like the one below.

When I run the dig command you provided the transfer fails. Both of the name servers are on the same network so I ran "dig domain.com axfr @10.0.1.189"
zone "domain.com" in {
                type master;
                file "db_files_external/db.domain.com";
                allow-query { any; };
                allow-update { none; };
                notify yes;
                allow-transfer { { trusted; };
                };
                };

Open in new window

0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
ID: 34199938
> The zones look the same on both servers, like the one below.

One needs to be configured as Secondary (slave) if you expect this to be automatic within DNS (using Zone Transfers). Otherwise you'll be looking at a replication technique outside of DNS, whether that's rsync or something else.

Is the extra curly brace pair on your allow-transfer statement a typo here? Or a typo in named.conf? That is, I would expect:
zone "domain.com" in {
  type master;
  file "db_files_external/db.domain.com";
  allow-query { any; };
  allow-update { none; };
  notify yes;
  allow-transfer { trusted; };
};

Open in new window

You will need axfr to work as well, but that may be caused by the potential error in allow-transfer.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34199958
I assume that the extra bracket is a typo, I have no idea though as I did not set them up.

How should zone look on NS2, I assume type needs to be slave instead of master?

What else besides changing that would I need to do to get things working correct?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
ID: 34200021
Yep, you're right. Lets see, something like this.
zone "domain.com" in {
  type slave;
  file "db_files_external/db.domain.com";
  allow-query { any; };
};

Open in new window

Make the change to the allow-transfer rule on the primary first, then check you can transfer the zone using dig (axfr). If you can't, does dig give you a "REFUSED" response? Or timeout? Or something else?

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34200263
It just said FAILED, so the dig command you gave me is a way to force the transfer?

So should I be able to create the test zone information then create the actual zone file and it should copy that physical file to NS2?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
ID: 34200293

A zone transfer is just another type of query, a special one but it's just a matter of getting the question right. That's what we do when we tell dig to ask for AXFR (it goes into the record type field in the query).

If you're going for a slave you won't need to copy the file over, it'll sort itself out.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34200318
What about named.conf, do I need to update that on both sides or will it copy itself over to NS2?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 416 total points
ID: 34200370

Both sides, there's no replication mechanism for named.conf within DNS.

The scenario we're playing with here has two entirely separate DNS servers that just happen to share a copy of a zone, where one of the servers is the boss. They don't have more interaction than that.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34200394
Is there a better way to accomplish what I am trying to do here. I am used to Windows DNS in that you make a change on one and it replicates to the other.

Basically what I am trying to accomplish is two-fold.

1. Make it so editing only needs to occur on 1 server
2. Those changes made on NS1 get automatically copied to NS2 and NS3
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34200438
> I am used to Windows DNS in that you make a change on one and it replicates to the other.

Only if you use AD Integrated Zones. Basically the replication mechanism is taken out of the hands of the DNS server, DNS only loads the zone from there, a common source. It's a reasonable mechanism, but not at all suitable for public DNS zones.

What you intend is fine using the primary / secondary model, you just need to be aware that the initial setup needs to be done on each server.

You can find options that have a greater degree of automation, you tend to get what you pay for in that respect. I've often wondered what InfoBlox offers for public DNS services, but they aren't free :)

I'll have a look at your files in more detail and see if I can see anything that migt prevent transfer.

Chris
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 84 total points
ID: 34234418
If you are using windows DNS, as Chris-Dent pointed out in comment ID 34200438 make sure the zone is AD integrated and it will replicate among the DNS servers in the domain.  

If you are still managing it within bind which:

In the comment by Chris-Dent #34200021

The slave designation for the zone is correct, the problem is that it is missing the designation where the master server is
masters ip_of_master;

IMHO, There is no need to add a per zone allow-query {any;}; or allow-transfer {xfer;}; , if you define it correctly globally.
Do not disable notify as this is the way by which the master server notifies the subordinates that an update to a zone has occurred (based on the NS records in the zone file).  You would still need to use the master configuration and convert it into the subordinate configuration prior to transferring it. by replacing the type master with the type slave and adding the masters line.

The location of the file is not as important given one server will be the master and the other being the slave, there will not exist a possibility that the slave server will have a zone that does not exist on the master.  You could of course as part of the data conversion script alter the path of the location of the file on the NS2.

Should the master server fail for any reason, the data on the slave can be used as the new master by altering the configuration back i.e. replacing the type slave and masters line with type master;

The zone file will be in bind format which would be organized if there are subdomains defined withing.

Within the main configuration, you have acl defined,
but I do not see the opening options set where the allow-transfer,allow query, etc. would be defined.  I see the parameter settings themselves and presume the absence is merely a typo when copying and pasting the data.
zone "domain.com" in {
  type slave;
  masters {10.0.1.189; };
  file "db_files_external/db.domain.com";
  allow-query { any; };
};

Open in new window

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adnexus.net keeps getting hit from OpenDNS 12 64
Can't "Unset" Proxy in Apache headers for PCI compliance... 4 45
DNS/WINS in a domain 10 49
VLAN Questions 3 20
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question