Zone Transfers (domain-tcp)

[CDoyle]

Friends,

We created a rule that permits a specific secondary DNS server on the Internet to perform Zone Transfers (domain-tcp) from a Primary DNS server that's protected by our Gateway. The rule was being ignored. We had to enable: Policy > Global Properties > "Accept Domain Name over TCP (Zone Transfers)" or order to pass the traffic. This is not our preferred method. Can this not be accomplished via the rule base ?

Regards,

Craig.

[BarryStiefel]

Quote:

Originally Posted by CDoyle

Friends,

We created a rule that permits specific a secondary DNS server on the Internet to perform Zone Transfers (domain-tcp) from a Primary DNS server that's protected by our Gateway. The rule was being ignored. We had to enable: Policy > Global Properties > "Accept Domain Name over TCP (Zone Transfers)" or order to pass the traffic. This is not our preferred method. Can this not be accomplished via the rule base ?

Regards,

Craig.

Is it possible the zone transfer connection is going in the opposite direction than you're expecting (from primary to secondary, or from secondary to primary)?

What shows up in the log?

[CDoyle]

I'm confident the traffic was using the correct src & dst, because when I enabled TCP Zone Transfers in the Global Policy and had Log Implied Rules set to On, I would then see log entries that matched my expectations for src & dst. The session was initiated from the outside.

Before enabling TCP Zone Transfers in the Global Policy, there were no log entries generated when transfer attempts were made, even through the Clean-up rule was set to Log. It was as though the Gateway was doing a silent drop.

Strange ?

Thanks,
Craig.

[BarryStiefel]

Quote:

Originally Posted by CDoyle

I'm confident the traffic was using the correct src & dst, because when I enabled TCP Zone Transfers in the Global Policy and had Log Implied Rules set to On, I would then see log entries that matched my expectations for src & dst. The session was initiated from the outside.

Before enabling TCP Zone Transfers in the Global Policy, there were no log entries generated when transfer attempts were made, even through the Clean-up rule was set to Log. It was as though the Gateway was doing a silent drop.

Strange ?

Thanks,
Craig.

If you enable the implied rule that allows these connections, go look at exactly what that implied rule says; maybe there's something unexpected there?

Also, have a look at SmartDefense and see if something might be getting blocked or inspected there.

[CDoyle]

Thanks Barry, will do!Craig.