F
FastEddie
Platform: Windows 2003 R2 DNS
Network: two DMZ's with Cisco PIX and Cisco ASA firewalls
Ports open: 53 UDP/TCP both ways
Problem: zone transfers do not work all the time
Configuration:
We have 3 DNS servers. Two are on one subnet in the same DMZ. The third is
in a DMZ on the other side of the world. The DNS servers are available for
name requests on the internet (tested). It is setup as Primary, Secondary,
Secondary. The servers do the zone transfers across our private network (on
the zone transfers tab, the button is selected "Only to the following
servers") to IP addresses. The button "Notify..." states to automatically
notify the following servers and the same private IP addresses are listed.
When we change a zone (add an A record of www with an IP address) the
servers that are on the same subnet without a firewall involved are in sync
(zones get updated immediately) but the third server does not get updated
most of the time. We did some traces and here are the results.
Packet 1: 10.40.255.15 (local port 4702) to 10.80.10.30 (remote port 53)
Packet 2: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
Packet 3: 10.80.10.30 (local port 53) to 10.40.255.15 (remote port 4702)
Packet 4: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
Packet 5: 10.40.255.15 (local port 53) to 10.80.10.30 (remote port 4884)
Packets 1, 2, and 4 would go through without a problem but packets 2 and 5
would be blocked. To me it looked like both machines would try to respond
to each other's local port directly.
Any idea what we need to change to make this work correctly?
thanks,
FastEddie
Network: two DMZ's with Cisco PIX and Cisco ASA firewalls
Ports open: 53 UDP/TCP both ways
Problem: zone transfers do not work all the time
Configuration:
We have 3 DNS servers. Two are on one subnet in the same DMZ. The third is
in a DMZ on the other side of the world. The DNS servers are available for
name requests on the internet (tested). It is setup as Primary, Secondary,
Secondary. The servers do the zone transfers across our private network (on
the zone transfers tab, the button is selected "Only to the following
servers") to IP addresses. The button "Notify..." states to automatically
notify the following servers and the same private IP addresses are listed.
When we change a zone (add an A record of www with an IP address) the
servers that are on the same subnet without a firewall involved are in sync
(zones get updated immediately) but the third server does not get updated
most of the time. We did some traces and here are the results.
Packet 1: 10.40.255.15 (local port 4702) to 10.80.10.30 (remote port 53)
Packet 2: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
Packet 3: 10.80.10.30 (local port 53) to 10.40.255.15 (remote port 4702)
Packet 4: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
Packet 5: 10.40.255.15 (local port 53) to 10.80.10.30 (remote port 4884)
Packets 1, 2, and 4 would go through without a problem but packets 2 and 5
would be blocked. To me it looked like both machines would try to respond
to each other's local port directly.
Any idea what we need to change to make this work correctly?
thanks,
FastEddie