Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BIND 9 not transferring zone files

Status
Not open for further replies.
skotman

skotman

ISP
Sep 11, 2003
328
0
0
US
I build a fedora redhat box with bind 9 installed etc etc. My intention is to use it as a secondary external DNS server in a remote office.

When I start named it starts like its suposed to, except for the fact that it won't transfer my zone file over from my master. the Master DNS Server is a windows 2003 server and I see log file entries saying that it successfully was transferred. I can not find the zone files on the fedora box, and when I do an nslookup against the domain it returns with:

Code: 
>domain.com
server: [192.168.1.69]
address: 192.168.1.69

***[192.168.1.69] can't find domain.com: Server Failed
>

when I do it from the fedora box I get the same thing. NAMED starts so I dont think it's a config issue, although it could be.

Thanks!

Scott Heath
AIM: orange7288
SprintPCS ReadyLink? IM ME
 
Sort by date Sort by votes
Update: I went looking in /var/logs/messages and found the following:

Code: 
Jan 28 12:56:47 newDNS named[3771]: transfer of 'domain.com/IN' from 192.168.1.14#53: failed while receiving responses: permission denied
Jan 28 12:56:47 newDNS named[3771]: transfer of 'domain.com/IN' from 192.168.1.14#53: end of transfer

the /var/named directory has the following permissions on it:
Owner: DRWE (777)
Group: DRE (755)

The owner was root the group was named. I set the owner to named and it worked perfectly.

Scott Heath
AIM: orange7288
SprintPCS ReadyLink? IM ME
 
Upvote 0 Downvote
be prepared for problems if using BIND in a Win2000 or Win2003 domain. Especially if you need to build trusts...BIND and QIP DNS will both break trusts in unusual fashions...the trust will be good, but some security principals may show up as SIDs, etc.

Anyways...make sure your zone is set to secure and non-secure dynamic updates.

also be sure your BIND supports SRV records and dynamic updates as well, which it should in your version or Linux...I believe the BIND version you need is 9.2.1 if I remember correctly. I do see you said BIND 9, but no sub versions there.

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
I'm just using BIND for external DNS with out any fancy features like trusts. Server A is replicating to Server B, just like in the old days of DNS. It just so happens that Server A is a win2k3 server that is doubling as a DNS server for the outside world.

Scott Heath
AIM: orange7288
SprintPCS ReadyLink? IM ME
 
Upvote 0 Downvote
I'm just using BIND for external DNS with out any fancy features like trusts. Server A is replicating to Server B, just like in the old days of DNS. It just so happens that Server A is a win2k3 server that is doubling as a DNS server for the outside world.

All of this is outside my Active Directory Domain.


Scott Heath
AIM: orange7288
SprintPCS ReadyLink? IM ME
 
Upvote 0 Downvote
This particular win2k3 server is doing most of my external facing services (IIS,DNS,VPN etc) for my network. I have two other servers inside my firewall that do DNS for my 2003 AD domain, as well as a 3rd domain controller at a remote site.

The bind server is just performing secondary DNS to outside requests (people trying to hit internet facing services) so no worries about breaking trusts there.

Scott Heath
AIM: orange7288
SprintPCS ReadyLink? IM ME
 
Upvote 0 Downvote
ah I gotcha.

So same deal...just be sure that non-secure and secure dynamic updates are enabled. Sounds like it is set to secure only. Looks like it from the error you posted as well. BIND cannot authenticate to an AD integrated zone set for secure only updates, which is the default. What is the current security settings on the zone as far as dynamic updates?

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
The issue has been solved. Read the 2nd post. I'm not doing anything with AD in this circumstance because I don't want to have AD facing the internet. The issue was with BIND not being able to write out the zone files locally it copied off the w2k3 server.

Scott Heath
AIM: orange7288
SprintPCS ReadyLink? IM ME
 
Upvote 0 Downvote
gotcha...musta misread.


Just FYI...AD DNS zones handling internet requests is not a problem providing the zone is set to secure only.

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Propus Gemini
  • Locked
  • Question
BIND don't resolve Microsoft Teams URL
Replies
1
Views
2K
iggsterman
iggsterman
Nick Ellson
  • Locked
  • Question
Bind9 with RPZ and local forwarding zones?
Replies
1
Views
2K
Nick Ellson
Nick Ellson
dl12345
  • Locked
  • Question
IPV6 related issue on bind 9.16.1 on Ubuntu 20.04
Replies
1
Views
2K
dl12345
dl12345
tbright
  • Locked
  • Question
DNS reverse lookup errors: zone 1.168.192.in-addr.arpa/IN: has no NS records
Replies
1
Views
3K
tbright
tbright
R. B.
  • Locked
  • Question
BIND BLOCK IN ANY REQUEST
Replies
0
Views
2K
R. B.
R. B.

Part and Inventory Search

Sponsor

Back
Top