Why are zone tranfers failing?

Jim Reid jim at rfc1035.com
Mon Oct 30 16:16:04 UTC 2000 

>>>>> "Robbie" == Robbie Stone <robbie at serendipity.palo-alto.ca.us> writes:

    >> Juan Staalenburg wrote:
    >>  Zone transfer to a secondary name server for my primary domain
    >> is failing.  I know that it is related to firewall settings
    >> because if I open the name server up to all of IP it work fine.
    >> I would like to limit access to my dns server to only port 53
    >> (TCP and UDP).  But if I set my router up to do this, zone
    >> tranfers do not complete.

    Robbie> You need to put this line in the named.conf under
    Robbie> "options".

    Robbie> query-source address * port 53;

    Robbie> This will keep everything on port 53.

True, but wrong. This will have no bearing on the original problem as
it was described above. The query-source clause has no effect at all
on the address and port number used for zone transfers. I quote from
the BIND8 documentation:

	Note: <CODE>query-source</CODE> currently applies only to UDP
	queries; TCP queries always use a wildcard IP address and a
	random unprivileged port

Zone transfers use TCP. A slave (secondary) server will ALWAYS connect
to TCP port 53 of the server it's using for a zone transfer. The
source port used for that connection is essentially random. A
transfer-source clause in the slave server's named.conf can be used to
fix the source address it uses for zone transfers. But this is no help
either. You'd still have to allow any host/port number to make TCP
connections to port 53 on the name server. This would be for hosts or
name servers using TCP queries such as repeats of queries that got
truncated UDP replies.

The real problem here is how the firewall has been (mis)configured. It
should be capable of allowing TCP or UDP traffic to port 53 of the
name server. A BIND[89] name server uses a random, unprivileged port
as the source of any queries it makes to another server. This can
upset firewalls with strict access control lists. The solution there
is to apply a query-source clause to the name server so that it uses a
fixed port number (and IP address?) and have a firewall rule that just
allows that traffic through. In addition to the regular traffic to
port 53 of course. So, fix the broken firewall access list because
that's the thing that's actually broken.

More information about the bind-users mailing list