zone transfer...

Jozef Skvarcek jozef at photonfield.net
Mon Nov 5 22:04:06 UTC 2001 

The fact that you can't download SOA is a proof that there is some
packet filtering going on (and the reason why the zone transfers don't
work). Especially, check whether tcp/udp from port 53 at your slave
to port 53 at the master is allowed.

You may get better idea by sniffing the packets. For example, if using
Linux try `tcpdump -n -i eth0 host <IP number of master>'
or if Solaris `snoop -d hme0 <IP of master>'. Adjust the name of
your interface if necessary. Then try to download SOA.
When you see the results you will know what they mean...

Jozef

On Mon, 5 Nov 2001, Luke Miller wrote:

> 
> I'm not doing any filtering on my side and the people on the other side (master) say that other people can
> slave off of them fine.  Using dig I can do a zone transfer just fine:
> 
> dig inputs.orbz.org @xx.xx.xx.xx axfr
> 
> But I can't get the soa:
> 
> > dig inputs.orbz.org @xx.xx.xx.xx soa
> 
> ; <<>> DiG 9.1.3 <<>> inputs.orbz.org @xx.xx.xx.xx soa
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> Luke
> 
> *****************************************************
> * Luke Miller             Unix System Administrator *
> * Integra Telecom                      503-748-4549 *
> *****************************************************
> 
> > Seems like something is filtering out packets with specific source and/or
> > destination ports for the IPs of your servers. I would also check that
> > both tcp and udp is allowed between the two DNS servers. Can't tell for 
> > sure now but I think that both udp and tcp should be open from port 53
> > and all ports > 1023 on your slave to port 53 on your master. Note that
> > I found that some DNS servers connect from a random port < 1024, but 
> > I don't think BIND does that.
> > Can you download the SOA from the master to the slave, anyway?
> > 
> > Jozef
> > 
> > On Mon, 5 Nov 2001, Luke Miller wrote:
> > 
> > > 
> > > I am trying to a zone transfer and I am getting the following messages in the logs:
> > > 
> > > Nov 05 10:54:02.227 general: refresh_callback: zone inputs.orbz.org/IN: failure for xx.xx.xx.xx#53: timed o
> ut
> > > Nov 05 10:54:02.227 general: refresh_callback: zone inputs.orbz.org/IN: xx.xx.xx.xx#53: retries exceeded
> > > 
> > > I can do an nslookup and ls or a dig to transfer the zone by hand but named doesn't seem to want to do it.
> > > The transfer by hand takes bout 3 minutes.  I have all the timeouts set to default.
> > > 
> > > Any ideas?  
> > > 
> > > Thanks,
> > > 
> > > Luke
> > > 
> > > *****************************************************
> > > * Luke Miller             Unix System Administrator *
> > > * Integra Telecom                      503-748-4549 *
> > > *****************************************************
> > > 
> > 
>

More information about the bind-users mailing list