Forum Discussion

LA_Medina_32319's avatar
LA_Medina_32319
Icon for Nimbostratus rankNimbostratus
Jun 08, 2018

DNS Zone Transfer Verification

Hi,

I've been searching around on how to verify/check if our Zone Transfer is working successfully or not but I can't seem to find any article to show just that. I only managed to find article on how to configure the DNS Express and Zone Transfer https://devcentral.f5.com/articles/dns-express-and-zone-transfers.

We already have an existing configuration for Zone transfer but we recently encounter issue with one of the "zone" that we recently added where the other end are getting an error "Zone Not Loaded by DNS Server" "The zone transfer was not executed.Refused".

Below are parts of the named configuration in F5. Transfer is already allowed.

options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-000";
        "zrd-acl-000-001";
        "zrd-acl-000-002";
        "zrd-acl-000-003";
        "zrd-acl-000-004";
        "zrd-acl-000-005";
        "zrd-acl-000-006";
    };
    listen-on-v6 port 53 {
        ::1;
    };
    recursion no;
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };

Below is the zone file for the zone in question.

   zone "" {
        type master;
        file "db.external..";
        allow-update {
            localhost;
        };

From the DNS profile, the zone transfer is also enabled as well as DNS express though I cant seem to find the exact DNS Express module/option. Our current version is 11.6.2 HF1.

I have tried to do dnsxdump but based on the output there doesnt to be anything being transferred to DNS express.

[admin@name:Active:In Sync] ~  dnsxdump
DNS-Express DB Dump

-= Arena Allocator =-


-= Region Stats =-
memory: 7 objects (7 small/0 large), 336 bytes allocated (5 wasted) in 1 chunks, 0 cleanups, 0 in recyclebin 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

-= DB Dump =-

-= DB Stats =-
RR Count: 0
Name Count: 0
RR Count by Type:

And LTM/GTM logs, they doesn't show anything regarding DNS Zone transfer. So I'm not sure what we have been missing.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    Check

    /var/log/daemon.log
    .

    To force a zone transfer:

     rndc refresh name_of_zone

    or

     rndc retransfer name_of_zone

    .

  • Hi @LA Medina - Does the below help?

    tmsh modify sys db log.zxfrd.level value "debug"
    tail -f /var/log/ltm
    tmsh show ltm dns zone  | more
    

    Default Refresh interval for a zone is 10800 seconds/3 hours

    You can lower that to accommodate the scale for your environment. Below in the log output, you can see it is set to 60s for lab purposes. This interval is used to proactively check the master nameserver for zone updates.

    Jun 22 14:49:38 gtm1 debug zxfrd[4251]: 01531023:7: Scheduling zone transfer in 60s for dnsx.com from 203.0.113.15.
    Jun 22 14:49:38 gtm1 debug zxfrd[4251]: 01531106:7: Availability status of dnsx.com changed from YELLOW to GREEN.
    Jun 22 14:50:38 gtm1 debug zxfrd[4251]: 01531025:7: Serials equal (2017062201); transfer for zone dnsx.com complete.
    Jun 22 14:50:38 gtm1 debug zxfrd[4251]: 01531008:7: Resetting transfer state for zone dnsx.com.
    Jun 22 14:50:38 gtm1 debug zxfrd[4251]: 01531023:7: Scheduling zone transfer in 60s for dnsx.com from 203.0.113.15