DNS transfers

Discussion in 'DNS Server' started by Don Powell, Aug 13, 2008.

  1. Don Powell

    Don Powell Guest

    My ISP has setup a Linux based DNS server in our office and wants to
    transfer/update (sorry, not sure of this nomenclature) DNS from out existing
    Server 2003 DNS server but claims that the Windows DNS server isn't
    configured to allow updates. Does anybody know what I change on my Server
    2003 side to allow this other DNS server to gets updates?

    Thanks
     
    Don Powell, Aug 13, 2008
    #1
    1. Advertisements

  2. Is your Windows 2003 DNS server a domain controller? If yes, is your dns
    zone Active Directory integrated?
     
    neo [mvp outlook], Aug 13, 2008
    #2
    1. Advertisements

  3. Don Powell

    Don Powell Guest

    Yes and yes

     
    Don Powell, Aug 13, 2008
    #3
  4. Do you mean zone transfers? If so, under the zone (domain) properties, Zone
    transfer tab, check the box to allow transfers. You can control by IP as
    well, but if the zone transfer request is coming across your firewall, I
    would just leave it to All machines. COnfigure your firewall to allow TCP &
    UDP 53.


    --
    Regards,
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Infinite Diversities in Infinite Combinations
     
    Ace Fekay [MVP Direcrtory Services], Aug 13, 2008
    #4
  5. Agreed about the tab, but why set it to "All machines" if the ISP setup the
    Linux based DNS server in his office? I'm thinking that poster should know
    the IP address of said device on his network and should be able to implement
    tighter controls between these two devices. Of course whatever is needed
    between Linux device and ISP is a different story.

    /Neo

    PS - I would have opted to the bottom radio button of 'only to specific
    servers'.

    PSS - Don, the tab we are talking about is open DNS Managment snapin > go to
    zone in question > r-click on zone and select properties > zone transfer tab
     
    neo [mvp outlook], Aug 13, 2008
    #5
  6. Don Powell

    Don Powell Guest

    That did it.

    Thanks

     
    Don Powell, Aug 13, 2008
    #6
  7. What "did it"?,...and then did "what"?

    Any DNS Server? or a specific DNS Server?
    Using/Adjusting the firewall? or having nothing to do with the firewall?
    Zone Transfers or not Zone Transfers?

    I am still scratching my head as to why:

    1. ...does the ISP have a DNS Server within your private LAN in the first
    place
    2. What they are supposed to gain by it
    3. Which direction is the Transfer going? Their Zone Data replicated to
    you,...or your AD Zone data replicated to them (very very bad idea BTW).
    4. No matter which direction #3 is going,...I still see no point in there
    being a Linux DNS box on your LAN belonging to the ISP.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Aug 13, 2008
    #7
  8. I would also have to agree to allow only the Linux IP too, but I've seen
    issues with BIND (assuming) grabbing zone transfers from Windows. I usually
    recommend to use ANY and once it works, change it to only the Linux's IP,
    then go to the zone properties in BIND and force a transfer and see if it
    works. If it does, leave it alone, and if it doesn't, set it back to Any.

    Ace
     
    Ace Fekay [MVP Direcrtory Services], Aug 14, 2008
    #8
  9. Phillip,

    Can you explain why zone transfers to *nix bind are a bad idea ?

    We are currently a AD Integraded DNS that is a delegated sub domain to *nix
    Bind.. bu the *nix DNS admins .. want to remove recursive lookup to our
    domain.. which means the only other solution is to zone transfer to them...

    Any help is appreciated....
     
    WayCoolKennel, Sep 3, 2008
    #9
  10. I can explain...

    We have two bind 9.x.x Unix DNS servers for company.com they delegate
    subdomain ad.company.com to our Windows AD Integrated DNS servers .

    This is done to allow DDNS for Windows clients

    I dont know why they wish to turn off recursive lookup ? My guess is
    something to do with recent vulnerabilities in Bind ??

    The windows DNS servers forward lookups to the Unix DNS servers..

    So any client machine that points to the Windows DNS' can dynamically
    register with Windows AD DNS and still do internet lookups via forward to
    Unix DNS.

    This is not location specific.. so not sure how that effects anything ?
     
    WayCoolKennel, Sep 3, 2008
    #10
  11. It is as I suggested... the issue is ddos .. So they wish to turn off
    recursive lookup to external IP's ..

    The issue is that ad.company.com is a delegated sub domain.. and will not
    get resolved to the outside without recursion (I would think DNS would be
    configurable to use recursion to delegated sub domains.. maybe not)... the
    ad servers are not exposed to the internet. So a referral is not appropriate.

    we have names in ad DNS that need to be resolvable to the internet...

    So I guess the only fix is to do zone transfers to the Unix dns' ...

    I dont see a way around it...
     
    WayCoolKennel, Sep 4, 2008
    #11
  12. In
    Well, I guess if that's how they want to do things, no problem. It works.

    As for recursive lookups, you mean from the outside world to the Unix
    machines? Forwarding from the delegated DNS servers to the parent is common
    in a delegation whether Unix or not, so recursive lookups need to be
    allowed. If recursive lookups (such as under Windows DNS, Advanced tab,
    disable recursion is checked), it will not allow any machine to forward to
    it.

    Is that what you mean?

    Ace
     
    Ace Fekay [MVP Direcrtory Services], Sep 5, 2008
    #12
  13. Yes.. .

    If they turn off recursive lookups for all but our subnet on the Unix DNS
    servers... then from the outside .. if someone attempts to lookup a
    ad.company.com address... the Unix DNS will not do a recursive lookup since
    ad.company.com is a delegated sub domain.

    So basiclly .. outside lookups will fail to ad.company.com

    What is the recommended configuration for Windows DNS in this situation ? I
    mean.. Windows DNS does not support masking recursive lookup based on IP ..
    ..???

    So are ALL windows DNS' that are internet facing allowing recursive lookup ???
     
    WayCoolKennel, Sep 8, 2008
    #13
  14. In
    Outside lookups? You mean such as from the internet? Why would anyone on the
    itnernet query for a record in your private domain? I can see if it's for
    VPN users, then that would need to be allowed.

    Ace
     
    Ace Fekay [MVP Direcrtory Services], Sep 10, 2008
    #14
  15. In
    To add and respond to the other points, in an AD infrastructure, anyone that
    needs to login and gain access to resources, etc, needs to be able to
    resolve the domain SRV and other resources.

    Maybe I don't understand what you mean by "outside" lookups? We usually do
    not allow Internet resolution of private records. Only exception is for
    authenticated VPN users.

    Ace
     
    Ace Fekay [MVP Direcrtory Services], Sep 10, 2008
    #15
  16. Don Powell

    Beoweolf Guest

    Are you using "Forwarder" or any form of "NAT" on the AD network?

    There is no justifiable reason that any outside party should be allowed
    unrestricted access to your your Directory. Exchange/Mail should only
    respond to directed messages. in the past we have had too many issues with
    spammers or even employees posting to . Consequently, that
    access is controlled...that doesn't have anything to do with your issue (nor
    should it), but it illustrates why inter-net access to internal users,
    addresses, etc is not a good thing.
     
    Beoweolf, Sep 16, 2008
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.