Zone Transfer with Secondary DNS error

[Adrian McCray]

For our domain, we are set up as the promary DNS server
and our ISP is set up as the secondary DNS server. Our
server is running Windows 2000 SP4 and is running DNS in
standard primary mode. When we write a change to the DNS
it is set up to automatically notify the secondary server
at the ISP. When the ISP connects for a zone transfer,
the log file shows that it was unsuccessful. The error is
below. It reports a bogus packet. and the connection is
refused. The secondary server is running BIND 8.2.2. Any
insight and help would be appreciated.

--------------------------------------------

The DNS server wrote version 2004093001 of zone
thespring.org to file thespring.org.dns.
Snd 207.22.166.2 0000 N [0024 A NOERROR] (9)my-
domain(3)org(0)
UDP question info at 0047E41C
Socket = 380
Remote addr 207.22.166.2, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x005b (91)
Message:
XID 0x0000
Flags 0x2400
QR 0 (question)
OPCODE 4 (NOTIFY)
AA 1
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x1
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)my-domain(3)org(0)"
QTYPE SOA (6)
QCLASS 1
ANSWER SECTION:
Offset = 0x001f, RR count = 0
Name "[C00C](9)my-domain(3)org(0)"
TYPE SOA (6)
CLASS 1
TTL 38400
DLEN 48
DATA
PrimaryServer: (2)ns(9)my-domain(3)org(0)
Administrator: (7)it-dept[C02E](9)my-domain
(3)org(0)
SerialNo = 2004093001
Refresh = 3600
Retry = 1800
Expire = 1296000
MinimumTTL = 38400
AUTHORITY SECTION:
ADDITIONAL SECTION:

Rcv 207.22.166.2 0000 R N [85a0 R REFUSED] (9)my-
domain(3)org(0)
UDP response info at 0047D09C
Socket = 380
Remote addr 207.22.166.2, port 53
Time Query=86017, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x001f (31)
Message:
XID 0x0000
Flags 0xa085
QR 1 (response)
OPCODE 4 (NOTIFY)
AA 0
TC 0
RD 0
RA 1
Z 0
RCODE 5 (REFUSED)
QCOUNT 0x1
ACOUNT 0x1
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(9)my-domain(3)org(0)"
QTYPE SOA (6)
QCLASS 1
ANSWER SECTION:
ERROR: BOGUS PACKET:
Following RR (offset 31) past packet length (31).
pchRecord = 0047D427, pCurrent = 00000000, -
4707367 bytes

 

[Oliver Moazzezi]

Hi,

Is have you allowed your ISP's dns server for zone transfers? Also, is your
primary dns server behind a firewall? We had the same problem and it was the
firewall blocking ports.

/o

 

[Adrian McCray]

Yes, we do allow our ISP to perform Zone Transfers. (as
specified on the Zone Transfers tab of the Zone). It is
behind a firewall, however we to have a tunnel for ports
UDP 53 and TCP 53. I just curious why in the error
portion, it says that it recieved a BOGUS PACKET.

Thanks for your response.

 

[Roland Hall]

in message
: Yes, we do allow our ISP to perform Zone Transfers. (as
: specified on the Zone Transfers tab of the Zone). It is
: behind a firewall, however we to have a tunnel for ports
: UDP 53 and TCP 53. I just curious why in the error
: portion, it says that it recieved a BOGUS PACKET.
:
: Thanks for your response.
: >-----Original Message-----
: >Hi,
: >
: >Is have you allowed your ISP's dns server for zone
: transfers? Also, is your
: >primary dns server behind a firewall? We had the same
: problem and it was the
: >firewall blocking ports.

According to this document:
http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html

You need to open up 1024-65535 for DNS. It appears the response port will
be a high numbered random port.
Read this section: With Microsoft's DNS Server for Windows and ISC's BIND
versions 4, 8, and 9, you need to knock this shape of hole into your
firewall:

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

 

[Ace Fekay [MVP]]

In

According to this document:
http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html

You need to open up 1024-65535 for DNS. It appears the response port
will be a high numbered random port.
Read this section: With Microsoft's DNS Server for Windows and ISC's
BIND versions 4, 8, and 9, you need to knock this shape of hole into
your firewall:

We're using Jonathan's terminology?


btw- I agree with the upper UDP ports. That's pretty much the way Windows
works with these empherical ports.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

According to this document:
http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html

You need to open up 1024-65535 for DNS. It appears the response port will be a high numbered random port. Read this section:
With Microsoft's DNS Server for Windows and ISC's BIND versions 4, 8, and 9, you need to knock this shape of hole into your firewall:




We're using Jonathan's terminology?
Not going by anything written above, you aren't.  I make no claim to inventing the terms "document", "DNS", "firewall", "response port", and "high numbered".  I don't even make a claim to the concept of knocking holes into walls to create thoroughfares for stuff.  (-:

 

[Jonathan de Boyne Pollard]

the connection is refused. No it isn't.  It is using UDP, and UDP is a connectionless protocol.  There is no connection to be refused.

It is the transaction that is refused.
When the ISP connects for a zone transfer, the log file shows that it was unsuccessful. The log file that you posted shows no such thing.  It actually shows a
OPCODE 4 (NOTIFY)
request, not a "zone transfer" request, being sent to
207.22.166.2 which responds with
RCODE 5 (REFUSED)
A silly buffer re-use programming error in whatever DNS server software is providing service on that IP address (It reports that it is ISC's BIND version 8.2.3-T6B.  This version of ISC's BIND was not originally intended for production use, is known to have several serious security flaws, and certainly shouldn't be being used by a DNS hosting service such as Internet Junction.  You might like to consider switching your DNS hosting services from Internet Junction to a company that uses better DNS server software.) has caused
ERROR: BOGUS PACKET:
Following RR (offset 31) past packet length (31).
the refusal response datagram to be ill-formed.