Is my BIND server allowing zone transfers?

Mon Aug 26 22:36:17 UTC 2002

HYK_TremorZ at hotmail.com wrote:

> Ok this is my setup:
>
> We have a linux router doing NAT and is forwarding all packets to all
> ports on our server (which we call 'brave') by default.  We set the
> router to explicitley forward packets to port 53 though (i'm paranoid
> like that).
>
> Brave is running our Bind 8 server.  However, i don't think it is
> allowing zone transfers.  When i try to do a dnswalk on our domain
> name, it gives us this error:
>
> ivan at brave:~$ dnswalk <domain name>
> Checking <domain name>
> Getting zone transfer of <domain name> from <dns server>...failed
> FAIL: Zone transfer of <domain name> from <dns server> failed:
> couldn't connect
>
> This is what the 'options' in our named.conf file looks like:
>
> options {
>
>         // directory "/var/cache/bind";
>         directory "/etc/bind";
>
>        allow-transfer { 65.102.83.43; 206.55.70.19; 127.0.0.1;
> 10.0.0.6; 10.0.0.5; }
>
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you might need to uncomment the query-source
>         // directive below.  Previous versions of BIND always asked
>         // questions using port 53, but BIND 8.1 and later use an
> unprivileged
>         // port by default.
>
>         query-source address * port 53;
>
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the addresses
> replacing
>         // the all-0's placeholder.
>
>         // forwarders {
>         //      0.0.0.0;
>         // };
> };
>
> // reduce log verbosity on issues outside our control
> logging {
>         category lame-servers { null; };
>         category cname { null; };
> };
>
> Now i don't understand why i can't zone transfer even from the server
> that's hosting the bind server.  I added the allow-transfer line to
> included both 127.0.0.1 and 10.0.0.5 (the internal ip address for
> brave).
>
> If anyone could help, i would appreciate it greatly.  Thank you.

You did reload or restart the nameserver after making the allow-transfer
change, right?

I'd try some AXFR queries using dig to see if you get the same results.
Also, look in your logs to see if there are any reports of zone transfers
being denied. Turn on query logging to see if the AXFR queries are even
being received.

- Kevin