named-xfer NOGO but nslookup works...

monkeyboy · Jul 7, 2009

I'm trying to understand the nature of the apparent firewall block at our institution... I have a name server set up within the firewall. A named-xfer query from outside the firewire to my name server FAILS (just hangs). BUT single nslookup's from outside to my name server work fine. Also named-xfer's from within the firewire work fine also.

How is that? I thought all such name/domain queries work off of port 53... so why does named-xfer fail but nslookup succeed?

The practical effect is that my name server seems to work fine as a name server EXCEPT it is not able to feed a secondary name server outside with its required info.

thx

DutchDaemon · Jul 7, 2009

Transfers use tcp/53, lookups use udp/53 (and sometimes tcp/53 when the replies are too big). Open tcp/53, and tell BIND to restrict transfers to trusted IPs.

vivek · Jul 8, 2009

DutchDaemon said:
tell BIND to restrict transfers to trusted IPs.

A better solution is to tell BIND to restrict transfers to those who have transaction signatures (TSIG) keys only. This make spoofing very difficult.

monkeyboy · Jul 8, 2009

thx guys...

named-xfer NOGO but nslookup works...

monkeyboy

DutchDaemon

Administrator

vivek

monkeyboy