-   Linux - Networking (
-   -   Windows 03 DNS zone transfer to BIND9 on Suse 10 Enterprise (

clincoln 08-12-2008 02:08 PM

Windows 03 DNS zone transfer to BIND9 on Suse 10 Enterprise
Transfer all dns entires from two windows dns servers to two bind9 boxes

What I have done thus far:
1: Confirmed each zone on the windows dns is setup to allow zone transfers to the suse box

2: Sent notify from windows dns for linux box

3: tailed messages and confirmed the notify was sent

Here is where I run into a problem - The zone files are not being created and I get this error in /var/log/messages

11:31:07 SUSE named[27952]: client (windowsdnsIP)#1026: received notify for zone': not authoritative
11:33:38 SUSE named[27952]: client (windowsdnsIP)#1026: received notify for zone '': not authoritative

Also this is my namd.conf file below

options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on port 53 {;; };
# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall stands between
# the local server and the internet.
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries # from all hosts.
allow-query {; windows_dns_IP; };
allow-transfer { pri_windowsIP; sec_windowsIP; };
allow-recursion { localnets; localhost; };
# 'notify' can be added to each zone definition.
notify no;
zone "." in {
type hint;
file "root.hint";
zone "localhost" in {
type master;
file "";
zone "" in {
type master;
file "";
include "/etc/named.conf.include";

Here is my include file

zone "" in {
type master;
file "master/";
zone "" in {
type master;
file "";

Thanks to all in advance! :scratch:

chort 08-13-2008 11:53 AM

PHP Code:

zone "" in {
type slave;
file "slave/";
masters pri_windowsIPsec_windowsIP; };
zone "" in {
type slave;
file "";
masters pri_windowsIPsec_windowsIP; };

clincoln 08-13-2008 01:52 PM

:cool:that did the trick! thank you much, when I go to turn off the windows DNS I imagine I copy the slave directory over to master and update both named.conf and .include to point to itself for master?

chort 08-13-2008 02:01 PM

Yes, although are you sure that's what you want? Are you running Active Directory on the Windows servers? If so, it's probably best to leave them as masters, unless you're entirely replacing your Windows infrastructure with something else.

By the way, I just noticed this:
PHP Code:

query-source address port 53

which is completely insecure and blatantly vulnerable to cache poisoning attacks, regardless of how patched your system is. Comment that line out (you should do the same for transfer and notify too, but verify everything still works after changing those).

If for some reason your firewalls are configured to require port 53 as the source port for DNS queries, tell the people who run your network to do 5 seconds of security research on the Internet, then fix their firewalls.

clincoln 08-13-2008 02:08 PM

they are actually commented out, I was posting with a backup file I was using prior to edits for the live conf file. Yea the plan is to completely replace the windows dns servers with bind

chort 08-13-2008 02:14 PM


Originally Posted by clincoln (Post 3246386)
Yea the plan is to completely replace the windows dns servers with bind

I got that part, but are you completely replacing all functions of the Windows servers? Domain Controller, Directory Server, DHCP server, etc??? Active Directory automatically puts a lot of entries into Windows DNS that are necessary for Windows networking (SMB/CIFS).

clincoln 08-13-2008 02:42 PM

nope, just the DNS functionality will be replaced. the only services provided from that box are DNS and AD

chort 08-13-2008 03:07 PM

Which is what I suspected--in that case I recommend against it. Is there a specific reason for wanting to remove the DNS server functionality from the Windows machines? You can easily configure your DHCP servers to give out the BIND servers as the only nameservers, so clients aren't directly querying the Windows servers for DNS requests.

Basically, I don't see why you would want to remove Windows DNS entirely as it may cause difficult-to-troubleshoot problems with Windows networking in general. The only operational difference is that you would make updates to the zone through BIND configuration file instead of the Windows DNS application. Unless there's a strong reason why making changes in BIND is a lot better than making them in Windows, I don't see a point.

Running separate nameservers for clients to query in order to reduce the load on the AD servers is fine, and makes sense, but continuing to run Windows DNS as "master" without any clients querying it shouldn't cause any noticeable load.

clincoln 08-13-2008 05:13 PM

the reason behind the move is dns will be hosted at a different site from where its currently hosted now. The platforms at the new site strictly run suse and for infrastructure purposes it needs to run on BIND. Was I correct in assuming the smoothest transition concerning the cutover? Copying the zones from the slave directory over to master and making the changes to both conf files?

chort 08-13-2008 05:38 PM

Yes, that's the way you would migrate the zone files.

You're going to do whatever you're going to do, but take my word for it and don't uninstall the DNS package from your MS servers. If anything goes wrong it will be a real pain to get it set back up.

clincoln 08-14-2008 12:00 PM

the only thing these two boxes are providing is public dns in a dmz - I don't believe there is a risk of windows networking issues as like I mentioned, this box is only used for dns and is not tied into an internal infrastructure - the AD service was left on the box as it was a DC in its better days however is now only used for login authentication, no other devices authenticate against it and dhcp services never resided on the server so I think I am in the clear

chort 08-15-2008 01:03 AM

Oh well if it's not part of your forest, then yeah no problem.

All times are GMT -5. The time now is 12:17 AM.