?
Solved

BIND zone transfers not working

Posted on 2010-11-23
14
Medium Priority
?
1,460 Views
Last Modified: 2012-05-10
I am working with two primary DNS servers that host records for numerous domains. Currently the process is to update the named.conf on both manually and copy the zone files to both manually.

What I would like to happen is to make the change on NS1 (10.0.1.189) and have it replicate to the other DNS servers. It looks like it is setup this way, however I manually created a zone file on NS1 and it did not get copied to NS2.

Below is part of my named.conf, let me know if you need any other information please.
acl "xfer" {
none; PUBLIC IP; 10.0.1.189; PUBLIC IP; 10.0.1.188; 
// Allow no transfers.  Other NS we own go here

};

acl "trusted" {
//location of our intranet and internal subnets that may need query
// our outside ip
localhost; PUBLIC IP; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189; 10.0.1.187;
};

//DOS attack prevention
notify no;
//

dnssec-enable yes;

// Generate more efficient transfers
transfer-format many-answers;
//

//Max zone transfer time in minutes
max-transfer-time-in 60;
//


//Limit zone transfers to transfer ACL only

allow-transfer { xfer; };


//No dynamic interface so no need for poll state
interface-interval 0;

// global option set to only allow queries from acl trusted.
// explicitly allow hosted zones below
//
allow-query { trusted; };

//global option to prevent recursion except internally
allow-recursion { trusted; };

};

zone "domain.com" in {
                type master;
                file "db_files_external/db.domain.com";
                allow-query { any; };
                allow-update { none; };
                notify yes;
                allow-transfer { { trusted; };
                };
                };

Open in new window

0
Comment
Question by:ThorinO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1664 total points
ID: 34199698

Can we see the Secondary server configuration as well?

From the secondary server, can you verify you can run either of these?

nslookup
server primary-server
ls -d domain.com

Or:

dig domain.com axfr @primary-server

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34199739
It is pretty much the same, below is the only difference and the only thing that changes is that it is missing 1 public/private IP from the list. Everything else seems to be the same.
acl "xfer" {
none; PUBLIC IP; 10.0.1.189; 
// Allow no transfers.  Other NS we own go here

};

acl "trusted" {
//location of our intranet and internal subnets that may need query
// our outside ip
localhost; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189;
};

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34199774

Except for the zone definition I hope? :)

The command above should test the zone transfer in principal. If that works then so should the real transfer. If it doesn't, you'll either need to look at the ACLs, or at network access between servers. Remember that zone transfers need TCP Port 53, not just UDP.

Chris
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 10

Author Comment

by:ThorinO
ID: 34199819
The zones look the same on both servers, like the one below.

When I run the dig command you provided the transfer fails. Both of the name servers are on the same network so I ran "dig domain.com axfr @10.0.1.189"
zone "domain.com" in {
                type master;
                file "db_files_external/db.domain.com";
                allow-query { any; };
                allow-update { none; };
                notify yes;
                allow-transfer { { trusted; };
                };
                };

Open in new window

0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1664 total points
ID: 34199938
> The zones look the same on both servers, like the one below.

One needs to be configured as Secondary (slave) if you expect this to be automatic within DNS (using Zone Transfers). Otherwise you'll be looking at a replication technique outside of DNS, whether that's rsync or something else.

Is the extra curly brace pair on your allow-transfer statement a typo here? Or a typo in named.conf? That is, I would expect:
zone "domain.com" in {
  type master;
  file "db_files_external/db.domain.com";
  allow-query { any; };
  allow-update { none; };
  notify yes;
  allow-transfer { trusted; };
};

Open in new window

You will need axfr to work as well, but that may be caused by the potential error in allow-transfer.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34199958
I assume that the extra bracket is a typo, I have no idea though as I did not set them up.

How should zone look on NS2, I assume type needs to be slave instead of master?

What else besides changing that would I need to do to get things working correct?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1664 total points
ID: 34200021
Yep, you're right. Lets see, something like this.
zone "domain.com" in {
  type slave;
  file "db_files_external/db.domain.com";
  allow-query { any; };
};

Open in new window

Make the change to the allow-transfer rule on the primary first, then check you can transfer the zone using dig (axfr). If you can't, does dig give you a "REFUSED" response? Or timeout? Or something else?

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34200263
It just said FAILED, so the dig command you gave me is a way to force the transfer?

So should I be able to create the test zone information then create the actual zone file and it should copy that physical file to NS2?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1664 total points
ID: 34200293

A zone transfer is just another type of query, a special one but it's just a matter of getting the question right. That's what we do when we tell dig to ask for AXFR (it goes into the record type field in the query).

If you're going for a slave you won't need to copy the file over, it'll sort itself out.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34200318
What about named.conf, do I need to update that on both sides or will it copy itself over to NS2?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1664 total points
ID: 34200370

Both sides, there's no replication mechanism for named.conf within DNS.

The scenario we're playing with here has two entirely separate DNS servers that just happen to share a copy of a zone, where one of the servers is the boss. They don't have more interaction than that.

Chris
0
 
LVL 10

Author Comment

by:ThorinO
ID: 34200394
Is there a better way to accomplish what I am trying to do here. I am used to Windows DNS in that you make a change on one and it replicates to the other.

Basically what I am trying to accomplish is two-fold.

1. Make it so editing only needs to occur on 1 server
2. Those changes made on NS1 get automatically copied to NS2 and NS3
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34200438
> I am used to Windows DNS in that you make a change on one and it replicates to the other.

Only if you use AD Integrated Zones. Basically the replication mechanism is taken out of the hands of the DNS server, DNS only loads the zone from there, a common source. It's a reasonable mechanism, but not at all suitable for public DNS zones.

What you intend is fine using the primary / secondary model, you just need to be aware that the initial setup needs to be done on each server.

You can find options that have a greater degree of automation, you tend to get what you pay for in that respect. I've often wondered what InfoBlox offers for public DNS services, but they aren't free :)

I'll have a look at your files in more detail and see if I can see anything that migt prevent transfer.

Chris
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 336 total points
ID: 34234418
If you are using windows DNS, as Chris-Dent pointed out in comment ID 34200438 make sure the zone is AD integrated and it will replicate among the DNS servers in the domain.  

If you are still managing it within bind which:

In the comment by Chris-Dent #34200021

The slave designation for the zone is correct, the problem is that it is missing the designation where the master server is
masters ip_of_master;

IMHO, There is no need to add a per zone allow-query {any;}; or allow-transfer {xfer;}; , if you define it correctly globally.
Do not disable notify as this is the way by which the master server notifies the subordinates that an update to a zone has occurred (based on the NS records in the zone file).  You would still need to use the master configuration and convert it into the subordinate configuration prior to transferring it. by replacing the type master with the type slave and adding the masters line.

The location of the file is not as important given one server will be the master and the other being the slave, there will not exist a possibility that the slave server will have a zone that does not exist on the master.  You could of course as part of the data conversion script alter the path of the location of the file on the NS2.

Should the master server fail for any reason, the data on the slave can be used as the new master by altering the configuration back i.e. replacing the type slave and masters line with type master;

The zone file will be in bind format which would be organized if there are subdomains defined withing.

Within the main configuration, you have acl defined,
but I do not see the opening options set where the allow-transfer,allow query, etc. would be defined.  I see the parameter settings themselves and presume the absence is merely a typo when copying and pasting the data.
zone "domain.com" in {
  type slave;
  masters {10.0.1.189; };
  file "db_files_external/db.domain.com";
  allow-query { any; };
};

Open in new window

0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month13 days, 1 hour left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question