• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

Zone transfers from ISP not working

Been trying to get our Windows 2008 R2 DNS servers on our DMZ to pull a secondary copy of a zone from our registrar. I found out today from someone there that the reason its not working most likely is because their DNS servers us Epoch for time stamps and Windows uses date and time. I think that is what they said. Anyway, is there a way to convert the Windows box so it uses Epoch or are there any work arounds? This is a brand new box with nothing on it so no chance of breaking anything. If I have to change something on the Windows box to get this to work, I would like to be able to change it back if it doesn't fix the problem.
  • 2
1 Solution
Cliff GaliherCommented:
Windows follows RFC specs for zone transfers so as long as the end server is configured properly, timezone differences are accounted for.

I would find it far more likely that the registrar has disabled zone transfers and most level-1 techs don't know or understand the system well enough to tell if this is true or understand what this means or entails, so you get the runaround. Since zone transfers are often a method of moving from one registrar to another, most registrars lock this out intentionally. Partially as a way to lock in business, and partially as a legitimate security precaution.

The process of allowing and enabling zone transfers is usually laborious, requires finding the "right" tech who actually knows what is going on, and requires several steps to verify proof of ownership (again part of this is a legitimate security boundary.)

For what its worth, I've long stopped dealing with registrar DNS hosting. I use 3rd-party DNS hosts for all registered domain names and, being their specialty is DNS, never have issues getting transfers going for those scenarios where it is required or makes sense.

At any rate, as a firm believer of "trust but verify" ...I'd verify everything your registrar is telling you. Wireshark is very helpful in this regard, and if the transfer is not occurring because of a time discrepancy, that rejection will still show up in the network traffic and the reason should be fairly evident. Before I went monkeying with a RFC-compliant DNS server just to appease the registrar, I'd want to make darn sure the changes would accomplish the goal. Otherwise you broke the DNS implementation and still would not have transfers working.

shadowtuckAuthor Commented:
Thanks for all that info. I get a different answer every time I call. I also feel the way you do that I am getting blocked. The message is the Windows DNS application log indicates that. It says it cannot connect to their server. That's pretty clear to me. I can use dig and nslookup to query their server and it returns records to me for zones they host for us so that connectivity is in place but I can't do a zone transfer. There has to be some security in place on their end and I think that is where the problem is. I have said this to them repeatedly and they keep pushing me off in another direction.
Cliff GaliherCommented:
Well, as I said, usually the easiest solution is to just not host DNS with an ISP or registrar. I find using a reliable DNS host is better from both a support perspective and from a reliability standpoint. I personally put my clients on DynDNS, but I've heard good things about ZoneEdit and Comodo as well. Getting onto a different DNS provider is quite inexpensive and will remove this hassle from your back.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now