February 18th, 2007

Zone transfer issue with BIND 9.3.3

Some days ago I had to setup a public DNS server (on FreeBSD) to act as primary name server for a couple of domains and (since I was there) to maintain slave zones for all my public domains.

I’m not exactly what you’d call a “Unix system administrator”, but I have some experience about configuring BIND since the 8.x family, so I was a bit disappointed when, after spending some time to accurately write down the named.conf, I read a “connection reset” error in the log file.

At first, the matter appeared to be related to somewhat resolvable by inserting the right statements in the config, because I noticed the following alert message from the Cisco IOS firewall IDS module at the location of the primary name server:
“%IDS-4-DNS_ZONE_XFER_REQUEST_HIGH: Sig:6052:DNS High Zone Transfer Request”.

Thus I combined all these statements:
[ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
[ transfer-source (ip4_addr | *) [port ip_port] ; ]
[ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]

Nothing changed. So I tried to transfer the same zone using a different name server in the same network of my FreeBSD machine: it was a Windows Server 2003 host. By using the Microsoft DNS service (without changing anything at the network layer) all worked fine at the fist shoot!

By looking for someone who’d have ever had such a problem, I found a post in a bug tracker list. It was explained that there is no way (neither there will ever be) to have BIND sending zone transfer request to other name server from its port 53 TCP. All the statements I had tried apply only to UDP traffic, since all TCP request are always sent from a random high port.

Thus, the only applicable solution has revealed to be changing the Cisco IOS firewall behavior in such a way to not react if a request originating from known external DNS servers matches any ip audit signature… 100 point to subtract from my personal BIND scorecard! 🙁