zone transfers timeout in bind but work via dig

Barry Margolin barmar at
Mon Oct 4 00:09:09 UTC 2004

In article <cjpi3o$1cv5$1 at>,
 Christian Smith <none at> wrote:

> In article <cjoq8b$28na$1 at>,
>  Barry Margolin <barmar at> wrote:
> > > Because of this, there needs to be an explicit hole punched in the 
> > > firewall at the master server to allow outgoing connections in the 
> > > 1024-65535 range. And, at the slave end there needs to be a matching 
> > > hole to allow in coming connections to those ports (sourced from port 
> > > 53).
> > 
> > This is totally wrong.  The DNS protocol contains no mechanism like this.
> Then explain the difference. DIG works and can transfer the zone using 
> AXFR, but actual transfers initiated by a BIND slave fail. I've seen 
> this time and again and the problem is always with the firewall rules.
> What is different between the way DIG handles the transfer and how BIND 
> handles it?

I don't know, but I know it's not what you said.  To diagnose the 
problem, I'd run a sniffer to see what the slave was sending.

Barry Margolin, barmar at
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list