DNS - Query Refused

[Wallace, David K.]

Whenever I try to do an "ls" within nslookup, I get this error:

Can't list domain "xyz": Query refused.

Is this some security setting that can be changed? I need that admins to be
able to query the DNS servers, but not regular users.

Help?


Thanks

David

 

[Kevin D. Goodknecht [MVP]]

In

Whenever I try to do an "ls" within nslookup, I get this error:

Can't list domain "xyz": Query refused.

Is this some security setting that can be changed? I need that
admins to be able to query the DNS servers, but not regular users.

Help?


Thanks

David

The ls or "List files" command requires a zone transfer to the IP of the
machine you are running the command on.

 

[Wallace, David K.]

Can you grant access to a network LAN, such as 192.168.1.0 ?

Thanks

 

[Kevin D. Goodknecht [MVP]]

In

Can you grant access to a network LAN, such as 192.168.1.0 ?

Thanks

Not sure what you mean, but on the DNS zone properties you need to allow
zone transfers to the IP from the DNS servers view.
If the DNS server is behind the same NAT device as the machines you are
making the transfer to, allow zone transfers to the private address. If the
DNS server is external and would see the client at a public address then you
allow zone transfers to the public address the DNS server "sees" the client
on.

 

[Wallace, David K.]

Example:
DNS Server: 192.168.1.10
All other servers: 192.168.1.10 - 20
Admin clients: 192.168.2.21 - 30
Regular clients: 192.168.2.30 - 80


I want to allows the entire 192.168.1.x network to have access to do "ls",
or zone transfers.

Do I have to put in each IP address, or can I put in a network range?

Thanks

 

[Kevin D. Goodknecht [MVP]]

In

Example:
DNS Server: 192.168.1.10
All other servers: 192.168.1.10 - 20
Admin clients: 192.168.2.21 - 30
Regular clients: 192.168.2.30 - 80


I want to allows the entire 192.168.1.x network to have access to do
"ls", or zone transfers.

Do I have to put in each IP address, or can I put in a network range?

That is the only way you can do it you cannot just put in a Network range.
You can't do it in the registry either here is the paragraph that refers to
zone transfers from the below link.

The Microsoft DNS server allows specification of a secondary server list.
Note that it is a list of secondaries for this zone on this server. It need
not be a complete list of secondaries for the zone. Its purpose is to give
administrators a fine degree of control over the replication graph for a
zone.

This list has two functions:


a.. Servers in this list are notified when a new version of the zone is
available.
b.. If the SecureSecondaries registry key (see below) is used, zone
transfers are refused to servers not in this list.

The SecondaryServers key is not a list of dotted IP strings, but a counted
array of raw IP addresses in net byte order. It should be configured through
the Zone Properties, Notify dialog box in the administrator tool. Editing
the registry key is discouraged. Especially, do NOT delete this registry key
to attempt to create an empty secondary list.
198408 Microsoft DNS Server Registry Parameters, Part 1 of 3
http://support.microsoft.com/default.aspx?scid=kb;EN-US;198408

The only other option is to allow zone transfers to all IP addresses.

 

[Michael Johnston [MSFT]]

Enable zone tranfers on this zone for the server you are running "LS" from.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.