Zone Transfer Problems: Windows 2003 Server to Linux Bind

Barry Finkel b19141 at achilles.ctd.anl.gov
Fri Sep 24 13:05:18 UTC 2004 

Brian wrote:

>> I am trying to re-establish a zone transfer with another organization
>> that has just upgraded from Windows 2K to 2003.  I am using Bind 9.2.1
>> on a Debain 3 system.  The transfer was working before but now I see
>> this error since they have upgraded:
>> 
>> Sep 14 01:38:57 compt-ns3 named[18471]: transfer of 'occaudit
>> .org.IN' from 192.169.140.12#53: resetting
>> Sep 14 01:38:57 compt-ns3 named[18471]: transfer of 'occaudit.org/IN'
>> from 192.1/
>> 68.140.12#53:  failed while receiving responses:  REFUSED
>> Sep 14 01:38:57 compt-ns3 named[18471]: transfer of 'occaudit.org/IN'
>> from 192.1/
>> 68.140.12#53: end of transfer 
>> 
>> When I do a dig occaudit.org @192.168.140.12 axfr I ger:
>> 
>> ; <<>> DiG 9.2.1 <<>> occaudit.org @192.168.140.12 axfr
>> ;; global options:  printcmd
>> ; Transfer failed
>> 
>> When I do a dig ml2.occaudit.org @192.168.140.12 I get the answer
>> 
>> ml2.occaudit.org.   3600   IN  A   192.168.140.12
>> 
>> So it looks to me like I can connect to their DNS server but they are
>> not allowing zone transfers to my name server.  I have never used a
>> Windows 2003 DNS server.  How do they set that so I can do my
>> transfer?
>> 
>> Anybody know?
>> 
>> Thanks,
>> 
>> Brian

Brenda Buttrick <Brenda.Buttrick at biogenidec.com> replied:

>To check if zone transfers is allowed on a W2k DNS Server:
>        on the W2k DNS server--> right click on zone and select properties
>                                     In the properties display:
>                                        click on zones transfer tab
>                                        check if the "allow zone 
>transfers" is checked 
>                                        verify slave servers for the zone 
>is the server list or 
>                                            if "Only to servers listed on 
>the Name Servers tab" is checked, 
>                                            verify your slave server is 
>listed under the "Name Servers" tab

If you have checked "Only to servers in the Name Servers" tab (as I
have done), you must insure that the W2k DNS cache contains the
mapping of the IP address to nodename for the remote name server.
The MS code is mal-designed.  When a zone transfer request arrives
at the W2k DNS Server from an IP address, and the "NS Tab" option is
being used, then the MS code has to check that the IP address that sent
the zone transfer request is really a nameserver in the NS Tab.  The
logical thing to do is to perform a DNS query to get the PTR record.
But the MS code does not do this because (as one of the developers told
me) the query could result in hijacked information and cannot be
trusted.  So, the PTR record must be in the DNS cache.  I did not ask
the developer why the information in the cache is also not subject
to the same hijacking.

What I do when I have that problem is do this

     nslookup remote-dns-server-example.com w2k-dns-server.example.com

This does the DNS lookup using the W2k DNS Server.  Since the desired
info is not in that server's cache, the W2k Server will do the
required DNS queries to get the information, and the information will
be cached.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list