Unable to query the entire zones from linux machines

Hi Experts,

I added two new Windows Server 2012 R2 Domain Controllers to the existing Windows Server 2008 R2 DCs. I am in the processes testing that everything is in order before decommissioning the W2K8 DCs.

On the Linux host, I removed the IPs pointing to Windows Server 2008 DNS and added the  DNS IPs of Windows Server 2012 R2 in /etc/resolv.conf . After the update, I am not able to query the records from the entire zone.  Here is the error I am getting:

command : host -v -a -l abc.com
trying "abc.com"
Host abc.com not found : 5 (REFUSED)
: Transfer failed

I am able to query the records  as soon as I update the /etc/resolv.conf with the old DNS server IPs.

Please help!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent WSr. Network / Systems AdminCommented:
If you are allowing only secure updates you may need to add and A record for your Linux machine to your new AD DNS server.
Also, looking at the Windows dns log entries may tell you specifically why.
Before going to and testing remote, double check whether your 2012 DNS is not having issues and is not bound only to the or its ipv6 equivalent IP

netstat -an | find ":53"
do you have a or *:53 listed with LISTENIN?
if you have or FE*:53 as the only entires it means it is bound to a specific IP.

transfer is also commonly restricted so check your DNS server configuration to see who can transfer zone.
Usually, you do not want to allow non DNS server to have rights to transfer zones.
run host -C abc.com (usually for example purposes you should not use valid existing domain which abc.com is ).
and see whether you get the SOA record.

Unless you have your linux system setup with a DNS server that needs to transfer the yourdomain.com zone with the linux DNS as secondary, go to the transfer tab of the DNS configuration and add the Linux IP to the authorized list as well as add it to the also notify (deals with a notification the dns servers will send to the linux DNS service that a change has occurred and it should retrieve the zone to update its records).

the host -C yourdomain.com
should reflect the same serial number from all your DNS servers...

There is no rush to decommission the old DC until you determine that the new ones will perform as intended. best way is to take the windows 2008 off network to make sure the win2k12 receive requests from the client and respond.
(most overlooked are DHCP settings not reflecting the new DNS servers in the client configuration) as well as not updating the static name server references on the servers with static IPs......
DeoraliAuthor Commented:
@mugojava - yes A record for the Linux hosts exists. If I  point to the 2008 dns ip in /etc/resolve.conf, it works.
netstat -an | find":53" shows
TCP [::1]:53            [::]:0            LISTENING

I don't have a or *.53 listed with LISTENING

When I do host -C abc.com
All the DNS servers listed with the same exact serial numbers.

DHCP is not enabled in my environment.

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Check the configuration of the DNS service and whether it is only allowing zone transfers from any host.
Note AD integrated zone replicate differently i.e. they do not engage in zone transfers among the DNS servers.
It is likely that the 2012 version is by default restricting who can transfer zones.

your host -C test proves the DNS server will respond to queries which is the functionality the local clients use, they do not use zone transfers which was your first attempt.

nslookup www.experts-exchange.com. should reflect the DNS server queried and the response it provides (non-authoritative)

If your linux server mush have the ability to transfer the zone either as axfr or ixfr make sure to add the linux IP address into the zone transfer configuration tab of each of the DNS servers.
DeoraliAuthor Commented:
These Linux servers just uses the Windows DNS as name resolver and nothing more. Linux admins were able to query and display all the records when pointing to 2008 dns IPs. Zone transfers setting is not even enabled in 2008 DNS servers.

I am not sure what changed in 2012 Or is there any settings/config need to updated in Linux servers to be able query the records.
Windows 2003 2008 by default did not restrict zone transfers it was up to the admin, access and listing the zone exposes the LAN servers....
Based on your reported issue, it sounds as though MS now sets the zone transfer to deny by default and is up to the admin to add the IPs from which zone transfers are authorized.

Many things were more permissive in earlier versions of OS.
The UPDATE to permit the Linux system to transfer zones is on the Windows 2012 server's DNS server properties. You may have to look at the properties of each individual zone and look at the zone transfer tab.
DeoraliAuthor Commented:
Thanks Arnold. I have one question, can we allow zone transfer to a host which is not a dns sever?
You can allow zone transfer to any host by either adding the individual IPs to the zone transfer tab in the properties of the Zone or the DNS server itself.
Or if there is an option to allow all versus deny all except for ...... not sure which options are available in the version you are dealing with.
DeoraliAuthor Commented:
Another issue. I hope you can point me to the right direction.

There is a conditional forwarded setup to our customer site customer.org

I can resolve any host using the 2008 DNS but not able to do it with new 2012 DNS servers. I have allowed zone transfers to any servers but I am still having issue.

2008 DNS IP
2012 DNS IP

From the Linux host:

Successful from the 2008 DNS Server
Linux# dig @ email.customer.org
:<<>> Dig 9.0.0 <<>> @ email.customer.org
: (1 server found)
:global options :cmd
::got answer
:: ->>HEADER<<- opcode: QUERY, status: NOERROR, id:7074
:: flags: qr rd ra; QUERRY: 1, ANSWER:1 , AUTHORITY:0, ADDITIONAL:1
emai.customer.org 10 A

It fails using new 2012 DNS
Linux# dig @ email.customer.org
:<<>> Dig 9.0.0 <<>> @ email.customer.org
: (1 server found)
:global options :cmd
::got answer
:: ->>HEADER<<- opcode: QUERY, status: SERVERFAIL, id:23457
:: flags: qr rd ra; QUERRY: 1, ANSWER:1 , AUTHORITY:0, ADDITIONAL:1

I am stumped. Please help.
You need to add the conditional forwarder to the windows 2012 as well
The forwarders are not inherited/replicated among the Dcs.

You would also have to check whether the customer.org site allows the windows 2012 to query it if you added conditional forwarders to it.

nslookup -q=soa customer.org IP_of_the_conditional_forwarder

Run this directly on the windows 2008 which should succeed given it is working, then run the same query from the 2012 systems. if you get query reject, contact the other side to have them add your 2012 IPs to the list allowed to query.
Check your firewall/vpn if the path to the client is .... to see how and whether there is a configuration there dealing with the DNS requests originating from the 2008 DNS server and add/adjust the rules to include the windows 2012.
Check your side first, before contacting the remote.
Kent WSr. Network / Systems AdminCommented:
Try this.
Under the Properties of your DNS server, "Advanced" tab, UN-check "EnableDNSSEC validation for remote responses".
Restart the DNS service.
Re-try your query.

I'm assuming on install, you selected the server from the DNS manager, right click, "Configure DNS Server..."  and selected "Configure root hints only" and / or Configured for forward / reverse lookups? From my understanding, if you want to look up ANY zones not directly loaded on the servers, you have to run through the root hints configuration OR setup forwarders for all domains not authoritative on your DNS host.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DeoraliAuthor Commented:
@Arnold @ mugojava - Thanks for your great help. I did the following : allow zone transfer to any servers and unckecked "Enable DNSSEC validator for remote response. Everything is working fine now.

I appreciate for you time and help.
Kent WSr. Network / Systems AdminCommented:
The "allow zone transfers" will ONLY affect other DNS servers pulling records for secondaries.
You can click that back on to be more secure, unless you have secondaries that are not on the domain proper that were having issues pulling records.  That won't affect anyone doing simple queries against your server.

You are very welcome my friend.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.