DNS transfers

Discussion in 'DNS Server' started by Don Powell, Aug 13, 2008.

  1. Don Powell

    Don Powell Guest

    My ISP has setup a Linux based DNS server in our office and wants to
    transfer/update (sorry, not sure of this nomenclature) DNS from out existing
    Server 2003 DNS server but claims that the Windows DNS server isn't
    configured to allow updates. Does anybody know what I change on my Server
    2003 side to allow this other DNS server to gets updates?

    Don Powell, Aug 13, 2008
    1. Advertisements

  2. Is your Windows 2003 DNS server a domain controller? If yes, is your dns
    zone Active Directory integrated?
    neo [mvp outlook], Aug 13, 2008
    1. Advertisements

  3. Don Powell

    Don Powell Guest

    Yes and yes

    Don Powell, Aug 13, 2008
  4. Do you mean zone transfers? If so, under the zone (domain) properties, Zone
    transfer tab, check the box to allow transfers. You can control by IP as
    well, but if the zone transfer request is coming across your firewall, I
    would just leave it to All machines. COnfigure your firewall to allow TCP &
    UDP 53.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Infinite Diversities in Infinite Combinations
    Ace Fekay [MVP Direcrtory Services], Aug 13, 2008
  5. Agreed about the tab, but why set it to "All machines" if the ISP setup the
    Linux based DNS server in his office? I'm thinking that poster should know
    the IP address of said device on his network and should be able to implement
    tighter controls between these two devices. Of course whatever is needed
    between Linux device and ISP is a different story.


    PS - I would have opted to the bottom radio button of 'only to specific

    PSS - Don, the tab we are talking about is open DNS Managment snapin > go to
    zone in question > r-click on zone and select properties > zone transfer tab
    neo [mvp outlook], Aug 13, 2008
  6. Don Powell

    Don Powell Guest

    That did it.


    Don Powell, Aug 13, 2008
  7. What "did it"?,...and then did "what"?

    Any DNS Server? or a specific DNS Server?
    Using/Adjusting the firewall? or having nothing to do with the firewall?
    Zone Transfers or not Zone Transfers?

    I am still scratching my head as to why:

    1. ...does the ISP have a DNS Server within your private LAN in the first
    2. What they are supposed to gain by it
    3. Which direction is the Transfer going? Their Zone Data replicated to
    you,...or your AD Zone data replicated to them (very very bad idea BTW).
    4. No matter which direction #3 is going,...I still see no point in there
    being a Linux DNS box on your LAN belonging to the ISP.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Aug 13, 2008
  8. I would also have to agree to allow only the Linux IP too, but I've seen
    issues with BIND (assuming) grabbing zone transfers from Windows. I usually
    recommend to use ANY and once it works, change it to only the Linux's IP,
    then go to the zone properties in BIND and force a transfer and see if it
    works. If it does, leave it alone, and if it doesn't, set it back to Any.

    Ace Fekay [MVP Direcrtory Services], Aug 14, 2008
  9. Phillip,

    Can you explain why zone transfers to *nix bind are a bad idea ?

    We are currently a AD Integraded DNS that is a delegated sub domain to *nix
    Bind.. bu the *nix DNS admins .. want to remove recursive lookup to our
    domain.. which means the only other solution is to zone transfer to them...

    Any help is appreciated....
    WayCoolKennel, Sep 3, 2008
  10. I can explain...

    We have two bind 9.x.x Unix DNS servers for company.com they delegate
    subdomain ad.company.com to our Windows AD Integrated DNS servers .

    This is done to allow DDNS for Windows clients

    I dont know why they wish to turn off recursive lookup ? My guess is
    something to do with recent vulnerabilities in Bind ??

    The windows DNS servers forward lookups to the Unix DNS servers..

    So any client machine that points to the Windows DNS' can dynamically
    register with Windows AD DNS and still do internet lookups via forward to
    Unix DNS.

    This is not location specific.. so not sure how that effects anything ?
    WayCoolKennel, Sep 3, 2008
  11. It is as I suggested... the issue is ddos .. So they wish to turn off
    recursive lookup to external IP's ..

    The issue is that ad.company.com is a delegated sub domain.. and will not
    get resolved to the outside without recursion (I would think DNS would be
    configurable to use recursion to delegated sub domains.. maybe not)... the
    ad servers are not exposed to the internet. So a referral is not appropriate.

    we have names in ad DNS that need to be resolvable to the internet...

    So I guess the only fix is to do zone transfers to the Unix dns' ...

    I dont see a way around it...
    WayCoolKennel, Sep 4, 2008
  12. In
    Well, I guess if that's how they want to do things, no problem. It works.

    As for recursive lookups, you mean from the outside world to the Unix
    machines? Forwarding from the delegated DNS servers to the parent is common
    in a delegation whether Unix or not, so recursive lookups need to be
    allowed. If recursive lookups (such as under Windows DNS, Advanced tab,
    disable recursion is checked), it will not allow any machine to forward to

    Is that what you mean?

    Ace Fekay [MVP Direcrtory Services], Sep 5, 2008
  13. Yes.. .

    If they turn off recursive lookups for all but our subnet on the Unix DNS
    servers... then from the outside .. if someone attempts to lookup a
    ad.company.com address... the Unix DNS will not do a recursive lookup since
    ad.company.com is a delegated sub domain.

    So basiclly .. outside lookups will fail to ad.company.com

    What is the recommended configuration for Windows DNS in this situation ? I
    mean.. Windows DNS does not support masking recursive lookup based on IP ..

    So are ALL windows DNS' that are internet facing allowing recursive lookup ???
    WayCoolKennel, Sep 8, 2008
  14. In
    Outside lookups? You mean such as from the internet? Why would anyone on the
    itnernet query for a record in your private domain? I can see if it's for
    VPN users, then that would need to be allowed.

    Ace Fekay [MVP Direcrtory Services], Sep 10, 2008
  15. In
    To add and respond to the other points, in an AD infrastructure, anyone that
    needs to login and gain access to resources, etc, needs to be able to
    resolve the domain SRV and other resources.

    Maybe I don't understand what you mean by "outside" lookups? We usually do
    not allow Internet resolution of private records. Only exception is for
    authenticated VPN users.

    Ace Fekay [MVP Direcrtory Services], Sep 10, 2008
  16. Don Powell

    Beoweolf Guest

    Are you using "Forwarder" or any form of "NAT" on the AD network?

    There is no justifiable reason that any outside party should be allowed
    unrestricted access to your your Directory. Exchange/Mail should only
    respond to directed messages. in the past we have had too many issues with
    spammers or even employees posting to . Consequently, that
    access is controlled...that doesn't have anything to do with your issue (nor
    should it), but it illustrates why inter-net access to internal users,
    addresses, etc is not a good thing.
    Beoweolf, Sep 16, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.