Bind9 slave server keeps getting zone transfers refused by AD DNS

Issues related to configuring your network
Post Reply
DamnPeggy
Posts: 3
Joined: 2018/08/14 10:16:30

Bind9 slave server keeps getting zone transfers refused by AD DNS

Post by DamnPeggy » 2018/08/14 11:24:18

Hello,

For the last couple of days, I have been trying to connect my Bind9 server to my AD's DNS as a secondary zone, to no avail.

The problem seems to be that when trying to get a zone transferred from the master, the packets will be dropped, though there are no firewalls that should be rejecting them.

I can ping all of them with no problem, and I can also transfer the zone via nslookup from a normal windows client.


Looking at Wireshark and tcpdump -i any port 53 when connecting the Bind server to the ADDNS server, gives me this:

https://i.imgur.com/soToiCM.png

And looking at the named status, it gives me this:

https://i.imgur.com/COiFTrk.png

It says something about keys, which I am assuming has something to do with DNSSEC, even though I have no configured DNSSEC on any of the machines yet.

CentNS: 192.168.64.128

AD DNS: 192.168.64.64



I have tried disabling both firewalld and disable all rules on the Windows firewall to, but it's still the same problem according to Wireshark

This is all done on a host-only network on VMWare, with pfsense connecting the two. (No rules configured on pfsense, fresh install)

I am still sort of new to Linux, especially when it comes to administration of servers.


Here is my named.conf for the secondary and reverse zone on my CentOS server.

Code: Select all


options {
        check-names master warn;
        listen-on port 53       { 192.168.64.128; 127.0.0.1; };
        filter-aaaa-on-v4       yes;
        directory               "/var/named/";
        dump-file               "/var/named/data/cache_dump.db";
        statistics-file         "/var/named/data/named_stats.txt";
        memstatistics-file      "/var/named/data/named_mem_stats.txt";
        allow-query             { any; };
        allow-transfer          { 192.168.64.64; 192.168.64.128; };
        allow-notify            { 192.168.64.64; 192.168.64.128; };
        recursion yes;

        dnssec-enable no;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "centNS.bliss.lan" IN
        {
        type slave;
        file "/var/named/zones/centNS.bliss.lan";
        masters { 192.168.64.64; };
        notify yes;
        };
zone "64.168.192.in-addr-arpa" IN
        {
        type slave;
        file "/var/named/revZones/64.128.192.in-addr-arpa";
        masters { 192.168.64.64; };
        notify yes;
        };
zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";




I have tried:

  • *Disabling firewall on both Windows and CentOS

    *Setting a record in the AD DNS for my CentNS server

    *Making sure that Windows has BIND enabled






    Sorry if I am lacking information, just tell me and I'll provide some.

    Any help would be appreciated

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind9 slave server keeps getting zone transfers refused by AD DNS

Post by TrevorH » 2018/08/14 11:39:48

Your wireshark clearly shows 192.168.64.64 sending a packet to 192.168.64.128 on port 53 and getting an icmp "Host Administratively Prohibited" back. That's a firewall rejecting the packet.

What is the output from the iptables-save command when run as root on 192.168.64.128?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

DamnPeggy
Posts: 3
Joined: 2018/08/14 10:16:30

Re: Bind9 slave server keeps getting zone transfers refused by AD DNS

Post by DamnPeggy » 2018/08/14 11:57:22

TrevorH wrote:
2018/08/14 11:39:48
Your wireshark clearly shows 192.168.64.64 sending a packet to 192.168.64.128 on port 53 and getting an icmp "Host Administratively Prohibited" back. That's a firewall rejecting the packet.

What is the output from the iptables-save command when run as root on 192.168.64.128?
This is the output from iptables-save.

Code: Select all

# Generated by iptables-save v1.4.21 on Mon Aug 13 21:25:10 2018
*nat
:PREROUTING ACCEPT [1543:111066]
:INPUT ACCEPT [4:216]
:OUTPUT ACCEPT [208551:9226673]
:POSTROUTING ACCEPT [208551:9226673]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_firewall - [0:0]
:POST_firewall_allow - [0:0]
:POST_firewall_deny - [0:0]
:POST_firewall_log - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_firewall - [0:0]
:PRE_firewall_allow - [0:0]
:PRE_firewall_deny - [0:0]
:PRE_firewall_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_firewall
-A POSTROUTING_ZONES -g POST_public
-A POST_firewall -j POST_firewall_log
-A POST_firewall -j POST_firewall_deny
-A POST_firewall -j POST_firewall_allow
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_firewall
-A PREROUTING_ZONES -g PRE_public
-A PRE_firewall -j PRE_firewall_log
-A PRE_firewall -j PRE_firewall_deny
-A PRE_firewall -j PRE_firewall_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Aug 13 21:25:10 2018
# Generated by iptables-save v1.4.21 on Mon Aug 13 21:25:10 2018
*mangle
:PREROUTING ACCEPT [159835:13133045]
:INPUT ACCEPT [159835:13133045]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [289961:13584615]
:POSTROUTING ACCEPT [289961:13584615]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_firewall - [0:0]
:PRE_firewall_allow - [0:0]
:PRE_firewall_deny - [0:0]
:PRE_firewall_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_firewall
-A PREROUTING_ZONES -g PRE_public
-A PRE_firewall -j PRE_firewall_log
-A PRE_firewall -j PRE_firewall_deny
-A PRE_firewall -j PRE_firewall_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Aug 13 21:25:10 2018
# Generated by iptables-save v1.4.21 on Mon Aug 13 21:25:10 2018
*security
:INPUT ACCEPT [158296:13022195]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [289961:13584615]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Aug 13 21:25:10 2018
# Generated by iptables-save v1.4.21 on Mon Aug 13 21:25:10 2018
*raw
:PREROUTING ACCEPT [159835:13133045]
:OUTPUT ACCEPT [289961:13584615]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_firewall - [0:0]
:PRE_firewall_allow - [0:0]
:PRE_firewall_deny - [0:0]
:PRE_firewall_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_firewall
-A PREROUTING_ZONES -g PRE_public
-A PRE_firewall -j PRE_firewall_log
-A PRE_firewall -j PRE_firewall_deny
-A PRE_firewall -j PRE_firewall_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Aug 13 21:25:10 2018
# Generated by iptables-save v1.4.21 on Mon Aug 13 21:25:10 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [289961:13584615]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_firewall - [0:0]
:FWDI_firewall_allow - [0:0]
:FWDI_firewall_deny - [0:0]
:FWDI_firewall_log - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_firewall - [0:0]
:FWDO_firewall_allow - [0:0]
:FWDO_firewall_deny - [0:0]
:FWDO_firewall_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_firewall - [0:0]
:IN_firewall_allow - [0:0]
:IN_firewall_deny - [0:0]
:IN_firewall_log - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_firewall
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_firewall
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_firewall -j FWDI_firewall_log
-A FWDI_firewall -j FWDI_firewall_deny
-A FWDI_firewall -j FWDI_firewall_allow
-A FWDI_firewall -p icmp -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_firewall -j FWDO_firewall_log
-A FWDO_firewall -j FWDO_firewall_deny
-A FWDO_firewall -j FWDO_firewall_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_firewall
-A INPUT_ZONES -g IN_public
-A IN_firewall -j IN_firewall_log
-A IN_firewall -j IN_firewall_deny
-A IN_firewall -j IN_firewall_allow
-A IN_firewall -p icmp -j ACCEPT
-A IN_firewall_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_firewall_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Mon Aug 13 21:25:10 2018
I am using firewalld, where I added port 53 and 22 to get accepted. That may be just for an inbound connection though..

I have tried with firewalld stopped and also with Windows firewall stopped. Though since I know that firewalld is built upon iptables, it might be the problem?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind9 slave server keeps getting zone transfers refused by AD DNS

Post by TrevorH » 2018/08/14 12:55:16

You've only allowed tcp port 53 via firewalld. Presumably you ran firewall-cmd --add-port=53/tcp where you should have run firewall-cmd --add-service=dns
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

DamnPeggy
Posts: 3
Joined: 2018/08/14 10:16:30

Re: Bind9 slave server keeps getting zone transfers refused by AD DNS

Post by DamnPeggy » 2018/08/14 17:01:24

I did not do --add-service=dns, no. I tried running it, but it still gets blocked.
Image

Could this perhaps have something to do with NTP? Since I can see that my date is way out of sync with the Windows server

Post Reply