DNS Zone transfers not occuring

Platform: Windows 2003 R2 DNS
Network: two DMZ's with Cisco PIX and Cisco ASA firewalls
Ports open: 53 UDP/TCP both ways
Problem: zone transfers do not work all the time

Configuration:
We have 3 DNS servers. Two are on one subnet in the same DMZ. The third is
in a DMZ on the other side of the world. The DNS servers are available for
name requests on the internet (tested). It is setup as Primary, Secondary,
Secondary. The servers do the zone transfers across our private network (on
the zone transfers tab, the button is selected "Only to the following
servers") to IP addresses. The button "Notify..." states to automatically
notify the following servers and the same private IP addresses are listed.

When we change a zone (add an A record of www with an IP address) the
servers that are on the same subnet without a firewall involved are in sync
(zones get updated immediately) but the third server does not get updated
most of the time. We did some traces and here are the results.

Packet 1: 10.40.255.15 (local port 4702) to 10.80.10.30 (remote port 53)
Packet 2: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
Packet 3: 10.80.10.30 (local port 53) to 10.40.255.15 (remote port 4702)
Packet 4: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
Packet 5: 10.40.255.15 (local port 53) to 10.80.10.30 (remote port 4884)

Packets 1, 2, and 4 would go through without a problem but packets 2 and 5
would be blocked. To me it looked like both machines would try to respond
to each other's local port directly.

Any idea what we need to change to make this work correctly?

thanks,

FastEddie

The DNS server that isn't updated corretly is behind a firewall? Are you sure
the access rules on the firewall are correctly configured? One rule for the
outgoing dns traffic and on for the incoming dns traffic?

I think these rules are missing:
source ip:10.80.10.30 sourceport:53 dest ip:10.40.255.15 dest port: any
source ip:10.40.255.15 sourceport:53 dest ip:10.80.10.30 dest port: any

--
Regards,

Erik
MCSE 2000/2003


"FastEddie" wrote:

> Platform: Windows 2003 R2 DNS
> Network: two DMZ's with Cisco PIX and Cisco ASA firewalls
> Ports open: 53 UDP/TCP both ways
> Problem: zone transfers do not work all the time
>
> Configuration:
> We have 3 DNS servers. Two are on one subnet in the same DMZ. The third is
> in a DMZ on the other side of the world. The DNS servers are available for
> name requests on the internet (tested). It is setup as Primary, Secondary,
> Secondary. The servers do the zone transfers across our private network (on
> the zone transfers tab, the button is selected "Only to the following
> servers") to IP addresses. The button "Notify..." states to automatically
> notify the following servers and the same private IP addresses are listed.
>
> When we change a zone (add an A record of www with an IP address) the
> servers that are on the same subnet without a firewall involved are in sync
> (zones get updated immediately) but the third server does not get updated
> most of the time. We did some traces and here are the results.
>
> Packet 1: 10.40.255.15 (local port 4702) to 10.80.10.30 (remote port 53)
> Packet 2: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
> Packet 3: 10.80.10.30 (local port 53) to 10.40.255.15 (remote port 4702)
> Packet 4: 10.80.10.30 (local port 4884) to 10.40.255.15 (remote port 53)
> Packet 5: 10.40.255.15 (local port 53) to 10.80.10.30 (remote port 4884)
>
> Packets 1, 2, and 4 would go through without a problem but packets 2 and 5
> would be blocked. To me it looked like both machines would try to respond
> to each other's local port directly.
>
> Any idea what we need to change to make this work correctly?
>
> thanks,
>
> FastEddie
>
>
>