Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall Stops DNS Updates

Status
Not open for further replies.
SelbyGlenn

SelbyGlenn

Technical User
Oct 7, 2002
444
GB
Hi there,

I am running BIND 9 on RH7.3 and I am using ipchains. I have 2 DNS servers (Master & Secondary) The Master is working fine and I can query without any problems. The seconday however is refusing to update from the Master.
The input chain on the secondary firewall is only allowing port 53 (TCP/UDP) and this is causing the problem. Does anyone know which additional port needs to be open to receive updates?

Thanks in advance,

Glenn
BEng MCSE CCA
 
Sort by date Sort by votes
Zone transfers take place over tcp port 53, but do a query for the soa over udp 53 first. Since you have both open then there is most likely another problem. Here are a few things to check courtesy of Mathias from Bind Users ML.

There are few other causes that could prohibit the secondary from =
transferring the
zone successfully

a) The serial# on your primary is smaller or equal to the one the =
secondary still has
b) You have a typo (syntax error etc) in your primary's zonefile for =
your domain. The
primary will load the zone (except the problematic entry) but NOT =
become authoritative
for the zone and as such refuse to transfer it out.
You should
check whether your primary NS answers authorittively to an SOA query =
for your domain
$ dig mydomain.soa @myprimary
=09
check whether the reply includes an 'aa' flag. If not, your primary is
not authoritative for the zone. Check the logfiles (syslog, usually =
/var/log/messages
or similar, unless you have redirected logging to somewhere else)
and see whether BIND logs any problem on restart/reload.

c) You have a firewall which prohibits the secondary from
a) performing a serial# query (if UDP port 53 is blocked)
b) performing the zonetransfer itself (if TCP port 53 is blocked)
BOTH these ports should be open

d) you have denied zonetransfers from your secondary nameserver in your =
named.conf
file( maybe you have configured=20
=09
options {
[...]
allow-transfer { none; };=20
[...]
};

or

zone "yourdomain" {
[...]
allow-transfer { none; };
[...];
};

You should add the IP address of your secondary nameserver in the =
allow-transfer
clause to permit it to obtain a copy of your zone.

 
Upvote 0 Downvote
I've just opend up all the inbound ports on the secondary server and the zone transfers now work! I checked the firewall logs and the zone transfers are coming in on random ports above 1025. It looks like the secondary DNS server is requesting the zone transfers in the same manner as a resolver!

Any ideas??

Glenn
BEng MCSE CCA
 
Upvote 0 Downvote
My apologies for misdirecting you earlier. The behavior of Bind Zone transfers changed with ver 8.1. It now uses unpriveledged ports for zone transfers. I would set the firewall to allow all traffic from the primary's ip and leave the rest of your restrictions in place.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

yarafatin
  • Locked
  • Question
Apache error log - DNS lookup failure for: hostname
Replies
5
Views
356
yarafatin
yarafatin
nyck
  • Locked
  • Question
RHEL6.3 firewall issue
Replies
3
Views
190
nyck
nyck
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
186
minicompbx
minicompbx
Argonto
  • Locked
  • Question
Accessing Website behind firewall through another website on the same network
Replies
1
Views
125
normntwrk
normntwrk
bazil2
  • Locked
  • Question
Configuring a firewall to accept SFTP incoming 2
Replies
3
Views
120
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top