Link to home
Start Free TrialLog in
Avatar of ThorinO
ThorinOFlag for United States of America

asked on

BIND zone transfers not working

I am working with two primary DNS servers that host records for numerous domains. Currently the process is to update the named.conf on both manually and copy the zone files to both manually.

What I would like to happen is to make the change on NS1 (10.0.1.189) and have it replicate to the other DNS servers. It looks like it is setup this way, however I manually created a zone file on NS1 and it did not get copied to NS2.

Below is part of my named.conf, let me know if you need any other information please.
acl "xfer" {
none; PUBLIC IP; 10.0.1.189; PUBLIC IP; 10.0.1.188; 
// Allow no transfers.  Other NS we own go here

};

acl "trusted" {
//location of our intranet and internal subnets that may need query
// our outside ip
localhost; PUBLIC IP; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189; 10.0.1.187;
};

//DOS attack prevention
notify no;
//

dnssec-enable yes;

// Generate more efficient transfers
transfer-format many-answers;
//

//Max zone transfer time in minutes
max-transfer-time-in 60;
//


//Limit zone transfers to transfer ACL only

allow-transfer { xfer; };


//No dynamic interface so no need for poll state
interface-interval 0;

// global option set to only allow queries from acl trusted.
// explicitly allow hosted zones below
//
allow-query { trusted; };

//global option to prevent recursion except internally
allow-recursion { trusted; };

};

zone "domain.com" in {
                type master;
                file "db_files_external/db.domain.com";
                allow-query { any; };
                allow-update { none; };
                notify yes;
                allow-transfer { { trusted; };
                };
                };

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ThorinO

ASKER

It is pretty much the same, below is the only difference and the only thing that changes is that it is missing 1 public/private IP from the list. Everything else seems to be the same.
acl "xfer" {
none; PUBLIC IP; 10.0.1.189; 
// Allow no transfers.  Other NS we own go here

};

acl "trusted" {
//location of our intranet and internal subnets that may need query
// our outside ip
localhost; PUBLIC IP; PUBLIC IP; 10.0.1.188; 10.0.1.189;
};

Open in new window


Except for the zone definition I hope? :)

The command above should test the zone transfer in principal. If that works then so should the real transfer. If it doesn't, you'll either need to look at the ACLs, or at network access between servers. Remember that zone transfers need TCP Port 53, not just UDP.

Chris
Avatar of ThorinO

ASKER

The zones look the same on both servers, like the one below.

When I run the dig command you provided the transfer fails. Both of the name servers are on the same network so I ran "dig domain.com axfr @10.0.1.189"
zone "domain.com" in {
                type master;
                file "db_files_external/db.domain.com";
                allow-query { any; };
                allow-update { none; };
                notify yes;
                allow-transfer { { trusted; };
                };
                };

Open in new window

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ThorinO

ASKER

I assume that the extra bracket is a typo, I have no idea though as I did not set them up.

How should zone look on NS2, I assume type needs to be slave instead of master?

What else besides changing that would I need to do to get things working correct?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ThorinO

ASKER

It just said FAILED, so the dig command you gave me is a way to force the transfer?

So should I be able to create the test zone information then create the actual zone file and it should copy that physical file to NS2?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ThorinO

ASKER

What about named.conf, do I need to update that on both sides or will it copy itself over to NS2?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ThorinO

ASKER

Is there a better way to accomplish what I am trying to do here. I am used to Windows DNS in that you make a change on one and it replicates to the other.

Basically what I am trying to accomplish is two-fold.

1. Make it so editing only needs to occur on 1 server
2. Those changes made on NS1 get automatically copied to NS2 and NS3
> I am used to Windows DNS in that you make a change on one and it replicates to the other.

Only if you use AD Integrated Zones. Basically the replication mechanism is taken out of the hands of the DNS server, DNS only loads the zone from there, a common source. It's a reasonable mechanism, but not at all suitable for public DNS zones.

What you intend is fine using the primary / secondary model, you just need to be aware that the initial setup needs to be done on each server.

You can find options that have a greater degree of automation, you tend to get what you pay for in that respect. I've often wondered what InfoBlox offers for public DNS services, but they aren't free :)

I'll have a look at your files in more detail and see if I can see anything that migt prevent transfer.

Chris
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial