LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-12-2008, 02:08 PM   #1
clincoln
LQ Newbie
 
Registered: May 2004
Posts: 7

Rep: Reputation: 0
Windows 03 DNS zone transfer to BIND9 on Suse 10 Enterprise


Goal:
Transfer all dns entires from two windows dns servers to two bind9 boxes

What I have done thus far:
1: Confirmed each zone on the windows dns is setup to allow zone transfers to the suse box

2: Sent notify from windows dns for linux box

3: tailed messages and confirmed the notify was sent

Here is where I run into a problem - The zone files are not being created and I get this error in /var/log/messages

11:31:07 SUSE named[27952]: client (windowsdnsIP)#1026: received notify for zone x.x.x.x.in-addr.arpa': not authoritative
11:33:38 SUSE named[27952]: client (windowsdnsIP)#1026: received notify for zone 'mydomain.net': not authoritative

Also this is my namd.conf file below

options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on port 53 { 127.0.0.1; 10.10.11.8; };
# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall stands between
# the local server and the internet.
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries # from all hosts.
allow-query { 127.0.0.1; windows_dns_IP; };
allow-transfer { pri_windowsIP; sec_windowsIP; };
allow-recursion { localnets; localhost; };
# 'notify' can be added to each zone definition.
notify no;
};
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
include "/etc/named.conf.include";

Here is my include file

zone "mydomain.net" in {
type master;
file "master/mydomain.net.zone";
};
zone "x.x.x.in-addr.arpa" in {
type master;
file "x.x.x.zone";
};


Thanks to all in advance!
 
Old 08-13-2008, 11:53 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
PHP Code:
zone "mydomain.net" in {
    
type slave;
    
file "slave/mydomain.net.zone";
    
masters pri_windowsIPsec_windowsIP; };
};
zone "x.x.x.in-addr.arpa" in {
    
type slave;
    
file "x.x.x.zone";
    
masters pri_windowsIPsec_windowsIP; };
}; 
 
Old 08-13-2008, 01:52 PM   #3
clincoln
LQ Newbie
 
Registered: May 2004
Posts: 7

Original Poster
Rep: Reputation: 0
voila

that did the trick! thank you much, when I go to turn off the windows DNS I imagine I copy the slave directory over to master and update both named.conf and .include to point to itself for master?
 
Old 08-13-2008, 02:01 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Yes, although are you sure that's what you want? Are you running Active Directory on the Windows servers? If so, it's probably best to leave them as masters, unless you're entirely replacing your Windows infrastructure with something else.

By the way, I just noticed this:
PHP Code:
query-source address port 53
which is completely insecure and blatantly vulnerable to cache poisoning attacks, regardless of how patched your system is. Comment that line out (you should do the same for transfer and notify too, but verify everything still works after changing those).

If for some reason your firewalls are configured to require port 53 as the source port for DNS queries, tell the people who run your network to do 5 seconds of security research on the Internet, then fix their firewalls.
 
Old 08-13-2008, 02:08 PM   #5
clincoln
LQ Newbie
 
Registered: May 2004
Posts: 7

Original Poster
Rep: Reputation: 0
they are actually commented out, I was posting with a backup file I was using prior to edits for the live conf file. Yea the plan is to completely replace the windows dns servers with bind
 
Old 08-13-2008, 02:14 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally Posted by clincoln View Post
Yea the plan is to completely replace the windows dns servers with bind
I got that part, but are you completely replacing all functions of the Windows servers? Domain Controller, Directory Server, DHCP server, etc??? Active Directory automatically puts a lot of entries into Windows DNS that are necessary for Windows networking (SMB/CIFS).
 
Old 08-13-2008, 02:42 PM   #7
clincoln
LQ Newbie
 
Registered: May 2004
Posts: 7

Original Poster
Rep: Reputation: 0
nope, just the DNS functionality will be replaced. the only services provided from that box are DNS and AD
 
Old 08-13-2008, 03:07 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Which is what I suspected--in that case I recommend against it. Is there a specific reason for wanting to remove the DNS server functionality from the Windows machines? You can easily configure your DHCP servers to give out the BIND servers as the only nameservers, so clients aren't directly querying the Windows servers for DNS requests.

Basically, I don't see why you would want to remove Windows DNS entirely as it may cause difficult-to-troubleshoot problems with Windows networking in general. The only operational difference is that you would make updates to the zone through BIND configuration file instead of the Windows DNS application. Unless there's a strong reason why making changes in BIND is a lot better than making them in Windows, I don't see a point.

Running separate nameservers for clients to query in order to reduce the load on the AD servers is fine, and makes sense, but continuing to run Windows DNS as "master" without any clients querying it shouldn't cause any noticeable load.
 
Old 08-13-2008, 05:13 PM   #9
clincoln
LQ Newbie
 
Registered: May 2004
Posts: 7

Original Poster
Rep: Reputation: 0
the reason behind the move is dns will be hosted at a different site from where its currently hosted now. The platforms at the new site strictly run suse and for infrastructure purposes it needs to run on BIND. Was I correct in assuming the smoothest transition concerning the cutover? Copying the zones from the slave directory over to master and making the changes to both conf files?
 
Old 08-13-2008, 05:38 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Yes, that's the way you would migrate the zone files.

You're going to do whatever you're going to do, but take my word for it and don't uninstall the DNS package from your MS servers. If anything goes wrong it will be a real pain to get it set back up.
 
Old 08-14-2008, 12:00 PM   #11
clincoln
LQ Newbie
 
Registered: May 2004
Posts: 7

Original Poster
Rep: Reputation: 0
clarification

the only thing these two boxes are providing is public dns in a dmz - I don't believe there is a risk of windows networking issues as like I mentioned, this box is only used for dns and is not tied into an internal infrastructure - the AD service was left on the box as it was a DC in its better days however is now only used for login authentication, no other devices authenticate against it and dhcp services never resided on the server so I think I am in the clear
 
Old 08-15-2008, 01:03 AM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Oh well if it's not part of your forest, then yeah no problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
deleted master dns zone and messed bind9 up :\ steve51184 Linux - Server 23 03-24-2008 06:07 AM
DNS Zone x-fer - From one zone to another / Debian 3.1 + BIND9 kenwoodgt Linux - Software 0 11-01-2006 10:28 AM
dns zone transfer in suse riffe Suse/Novell 1 02-08-2006 06:52 AM
DNS Windows To Linux Zone Transfer? rootking Linux - Networking 2 09-13-2004 01:29 AM
DNS - Manual zone transfer roboli Linux - Networking 0 02-27-2002 08:42 AM


All times are GMT -5. The time now is 11:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration