Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515 and DNS Zone Transfers

I have two dns servers (win2k), one hosts primary zones (outside) and the other hosts secondary zones(dmz). I am unable to get them to transfer zones between the primary and secondary server. I get a "denied" error message in the event logs (NT) on the secondary server while trying to perform a transfer. I have port 53 (tcp/udp) defined on the PIX. Checking the logs on the local PIX, it looks like the high order ports are being used. Am i missing something?



Re: PIX 515 and DNS Zone Transfers

Check with Microsoft and see if you can lock down the zone transfer to the RFC1700 specified ports 53. Otherwise you’ll have to open >1024 to that outside host which seems unreasonable.

New Member

Re: PIX 515 and DNS Zone Transfers

DNS transfers zones by a number of means:

- Slave 'pulls' zones after expire period, or on restart

- Master notifies slaves that changes have been made, by DNS notify messages.

If the slave pulls it would be from port >1023 to TCP port 53 on master, this is from higher security to lower. If master notifies its from >1023 to TCP 53 I think, however this is from low security to high and would require static conduit/acls.

CreatePlease login to create content