Link to home
Start Free TrialLog in
Avatar of Deorali
Deorali

asked on

Unable to query the entire zones from linux machines

Hi Experts,

I added two new Windows Server 2012 R2 Domain Controllers to the existing Windows Server 2008 R2 DCs. I am in the processes testing that everything is in order before decommissioning the W2K8 DCs.

On the Linux host, I removed the IPs pointing to Windows Server 2008 DNS and added the  DNS IPs of Windows Server 2012 R2 in /etc/resolv.conf . After the update, I am not able to query the records from the entire zone.  Here is the error I am getting:

command : host -v -a -l abc.com
trying "abc.com"
Host abc.com not found : 5 (REFUSED)
: Transfer failed
 


I am able to query the records  as soon as I update the /etc/resolv.conf with the old DNS server IPs.

Please help!
Avatar of Kent W
Kent W
Flag of United States of America image

If you are allowing only secure updates you may need to add and A record for your Linux machine to your new AD DNS server.
Also, looking at the Windows dns log entries may tell you specifically why.
Before going to and testing remote, double check whether your 2012 DNS is not having issues and is not bound only to the 127.0.0.1 or its ipv6 equivalent IP

netstat -an | find ":53"
do you have a 0.0.0.0:53 or *:53 listed with LISTENIN?
if you have 127.0.0.1:53 or FE*:53 as the only entires it means it is bound to a specific IP.

transfer is also commonly restricted so check your DNS server configuration to see who can transfer zone.
Usually, you do not want to allow non DNS server to have rights to transfer zones.
run host -C abc.com (usually for example purposes you should not use valid existing domain which abc.com is ).
and see whether you get the SOA record.

Unless you have your linux system setup with a DNS server that needs to transfer the yourdomain.com zone with the linux DNS as secondary, go to the transfer tab of the DNS configuration and add the Linux IP to the authorized list as well as add it to the also notify (deals with a notification the dns servers will send to the linux DNS service that a change has occurred and it should retrieve the zone to update its records).

the host -C yourdomain.com
should reflect the same serial number from all your DNS servers...

There is no rush to decommission the old DC until you determine that the new ones will perform as intended. best way is to take the windows 2008 off network to make sure the win2k12 receive requests from the client and respond.
(most overlooked are DHCP settings not reflecting the new DNS servers in the client configuration) as well as not updating the static name server references on the servers with static IPs......
Avatar of Deorali
Deorali

ASKER

@mugojava - yes A record for the Linux hosts exists. If I  point to the 2008 dns ip in /etc/resolve.conf, it works.
@Arnold
netstat -an | find":53" shows
TCP 127.0.0.1:53   0.0.0.0:0 LISTENING
TCP 192.168.1.10  0.0.0.0:0 LISTENING
TCP [::1]:53            [::]:0            LISTENING

I don't have a 0.0.0.0:53 or *.53 listed with LISTENING

When I do host -C abc.com
All the DNS servers listed with the same exact serial numbers.

DHCP is not enabled in my environment.

Thanks,
Check the configuration of the DNS service and whether it is only allowing zone transfers from any host.
Note AD integrated zone replicate differently i.e. they do not engage in zone transfers among the DNS servers.
It is likely that the 2012 version is by default restricting who can transfer zones.

your host -C test proves the DNS server will respond to queries which is the functionality the local clients use, they do not use zone transfers which was your first attempt.

nslookup https://www.experts-exchange.com. should reflect the DNS server queried and the response it provides (non-authoritative)

If your linux server mush have the ability to transfer the zone either as axfr or ixfr make sure to add the linux IP address into the zone transfer configuration tab of each of the DNS servers.
Avatar of Deorali

ASKER

These Linux servers just uses the Windows DNS as name resolver and nothing more. Linux admins were able to query and display all the records when pointing to 2008 dns IPs. Zone transfers setting is not even enabled in 2008 DNS servers.

I am not sure what changed in 2012 Or is there any settings/config need to updated in Linux servers to be able query the records.
Windows 2003 2008 by default did not restrict zone transfers it was up to the admin, access and listing the zone exposes the LAN servers....
Based on your reported issue, it sounds as though MS now sets the zone transfer to deny by default and is up to the admin to add the IPs from which zone transfers are authorized.

Many things were more permissive in earlier versions of OS.
The UPDATE to permit the Linux system to transfer zones is on the Windows 2012 server's DNS server properties. You may have to look at the properties of each individual zone and look at the zone transfer tab.
Avatar of Deorali

ASKER

Thanks Arnold. I have one question, can we allow zone transfer to a host which is not a dns sever?
You can allow zone transfer to any host by either adding the individual IPs to the zone transfer tab in the properties of the Zone or the DNS server itself.
Or if there is an option to allow all versus deny all except for ...... not sure which options are available in the version you are dealing with.
Avatar of Deorali

ASKER

Another issue. I hope you can point me to the right direction.

There is a conditional forwarded setup to our customer site customer.org

I can resolve any host using the 2008 DNS but not able to do it with new 2012 DNS servers. I have allowed zone transfers to any servers but I am still having issue.

2008 DNS IP 192.168.1.5
2012 DNS IP 192.168.1.10

From the Linux host:

Successful from the 2008 DNS Server
Linux# dig @192.168.1.5 email.customer.org
:<<>> Dig 9.0.0 <<>> @192.168.1.5 email.customer.org
: (1 server found)
:global options :cmd
::got answer
:: ->>HEADER<<- opcode: QUERY, status: NOERROR, id:7074
:: flags: qr rd ra; QUERRY: 1, ANSWER:1 , AUTHORITY:0, ADDITIONAL:1
:: ANSWER SECTION:
emai.customer.org 10 A 10.0.0.10

It fails using new 2012 DNS
Linux# dig @192.168.1.10 email.customer.org
:<<>> Dig 9.0.0 <<>> @192.168.1.10 email.customer.org
: (1 server found)
:global options :cmd
::got answer
:: ->>HEADER<<- opcode: QUERY, status: SERVERFAIL, id:23457
:: flags: qr rd ra; QUERRY: 1, ANSWER:1 , AUTHORITY:0, ADDITIONAL:1

I am stumped. Please help.
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Deorali

ASKER

@Arnold @ mugojava - Thanks for your great help. I did the following : allow zone transfer to any servers and unckecked "Enable DNSSEC validator for remote response. Everything is working fine now.

I appreciate for you time and help.
The "allow zone transfers" will ONLY affect other DNS servers pulling records for secondaries.
You can click that back on to be more secure, unless you have secondaries that are not on the domain proper that were having issues pulling records.  That won't affect anyone doing simple queries against your server.

You are very welcome my friend.