A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Strange router/zone transfer problem



 
 
Thread Tools Display Modes
  #1  
Old January 6th 14, 09:21 PM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 47
Default Strange router/zone transfer problem

I'd be grateful for any advice on this one....! A techy query...

I want to change the Zyxel P660R-D1 that I currently have, and have
obtained a Draytek Vigor 2860. After a bit of fiddling, it's all working
fine, EXCEPT...

I have secondary DNS service courtesy of Gradwell (I run the primaries).
Since the router went in, Gradwell are unable to do zone transfers from
my primary DNS. I went back to the Zyxel, and the zone transfers worked
on thge next attempt (they try hourly). Went back to the Draytek and they
stopped (I've been updating zone serials to force some updates to make it
clear what's happening).

So, it seems unlikely to be a firewall problem. I have logging on the
firewall and on the DNS server:

- with the Zyxel in place, I can see a number of UDP exchanges as the
Gradwell machine gets the SOAs and checks whether a zone transfer is
necessary. In cases where it is, I see a TCP connection and the
transfer happens.
- with the Draytek in place, I see the UDP transfers OK. There is no sign
of any TCP connection, even on the firewall logs, and certainly not on
the primary DNS.

Things to note:
- this is ADSL (PPPoA)
- the firewall machine is a separate one, interposed between a /29 net
and the main /26 (public IPs). The router is obviously on the /29.
- no filtering or firewall is active either on the Zyxel or the Draytek.
- I can reliably get a zone transfer by installing the Zyxel, and stop it
by changing to the Draytek.
- the MTU on the firewall (both interfaces) was 1500, but I changed that
to 1492, to no effect.
- the MTU on the DNS server was also 1500, changed to 1492 in desperation!
- the MTU on the Draytek is 1492, but appears to be 1500 on the Zyxel.

Any ideas, please?





--
Use the BIG mirror service in the UK: http://www.mirrorservice.org
My posts (including this one) are my copyright and if @diy_forums on
Twitter wish to tweet them they can pay me 30 a post
*lightning surge protection* - a w_tom conductor
  #2  
Old January 6th 14, 09:27 PM posted to uk.telecom.broadband
Richard Tobin
external usenet poster
 
Posts: 273
Default Strange router/zone transfer problem

In article ,
Bob Eager wrote:

- with the Draytek in place, I see the UDP transfers OK. There is no sign
of any TCP connection, even on the firewall logs, and certainly not on
the primary DNS.


Can you make a TCP connection in to the relevant port from some other
external machine?

-- Richard
  #3  
Old January 6th 14, 10:46 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default Strange router/zone transfer problem

On 06/01/14 21:21, Bob Eager wrote:
I'd be grateful for any advice on this one....! A techy query...

I want to change the Zyxel P660R-D1 that I currently have, and have
obtained a Draytek Vigor 2860. After a bit of fiddling, it's all working
fine, EXCEPT...

I have secondary DNS service courtesy of Gradwell (I run the primaries).


You rn this 'inside' your adsl connected network?

Since the router went in, Gradwell are unable to do zone transfers from
my primary DNS. I went back to the Zyxel, and the zone transfers worked
on thge next attempt (they try hourly). Went back to the Draytek and they
stopped (I've been updating zone serials to force some updates to make it
clear what's happening).


So, it seems unlikely to be a firewall problem. I have logging on the
firewall and on the DNS server:

- with the Zyxel in place, I can see a number of UDP exchanges as the
Gradwell machine gets the SOAs and checks whether a zone transfer is
necessary. In cases where it is, I see a TCP connection and the
transfer happens.
- with the Draytek in place, I see the UDP transfers OK. There is no sign
of any TCP connection, even on the firewall logs, and certainly not on
the primary DNS.

Things to note:
- this is ADSL (PPPoA)
- the firewall machine is a separate one, interposed between a /29 net
and the main /26 (public IPs). The router is obviously on the /29.


This is not enough information. A diagram with machines and interface
addresses would be helpful.

Is the DNS server ACTUALLY on the public or private network?

IS NAT used to translate between them?

- no filtering or firewall is active either on the Zyxel or the Draytek.


They may well be default lack of routing, or NAT translations going in.

snip irrelevant issues



Any ideas, please?

try from a remote source telnetting to the TCP IP port corresponding to
the DNS server.

Check logs.

Remember that its conventional to always pass DNS UDP traffic on a
'noddy' home router so that DNS actually works. However you may have a
default block on syn ip packets.

And if you are using NAT you will need to set up an explicit pass
through fr anything behind the router that needs to accept a connection
NOT initiated from inside the network

NAT works by maintaining forwarding tables for connections coming from
inside the network: to set one up for the reverse direction needs an
explicit rule set up.










--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

  #4  
Old January 6th 14, 11:22 PM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 47
Default Strange router/zone transfer problem

On Mon, 06 Jan 2014 22:46:40 +0000, The Natural Philosopher wrote:

On 06/01/14 21:21, Bob Eager wrote:
I'd be grateful for any advice on this one....! A techy query...

I want to change the Zyxel P660R-D1 that I currently have, and have
obtained a Draytek Vigor 2860. After a bit of fiddling, it's all
working fine, EXCEPT...

I have secondary DNS service courtesy of Gradwell (I run the
primaries).


You rn this 'inside' your adsl connected network?


Inside.


Since the router went in, Gradwell are unable to do zone transfers from
my primary DNS. I went back to the Zyxel, and the zone transfers worked
on thge next attempt (they try hourly). Went back to the Draytek and
they stopped (I've been updating zone serials to force some updates to
make it clear what's happening).


So, it seems unlikely to be a firewall problem. I have logging on the
firewall and on the DNS server:

- with the Zyxel in place, I can see a number of UDP exchanges as the
Gradwell machine gets the SOAs and checks whether a zone transfer is
necessary. In cases where it is, I see a TCP connection and the
transfer happens.
- with the Draytek in place, I see the UDP transfers OK. There is no
sign
of any TCP connection, even on the firewall logs, and certainly not
on the primary DNS.

Things to note:
- this is ADSL (PPPoA)
- the firewall machine is a separate one, interposed between a /29 net
and the main /26 (public IPs). The router is obviously on the /29.


This is not enough information. A diagram with machines and interface
addresses would be helpful.

Is the DNS server ACTUALLY on the public or private network?


On the inside network, with public IPs.

IS NAT used to translate between them?


There is no NAT at all.

- no filtering or firewall is active either on the Zyxel or the
Draytek.


They may well be default lack of routing, or NAT translations going in.


Bear in mind it all works fine on the old router.

try from a remote source telnetting to the TCP IP port corresponding to
the DNS server.


I can do a 'dig domain axfr' from a remote source and it works fine.

Remember that its conventional to always pass DNS UDP traffic on a
'noddy' home router so that DNS actually works. However you may have a
default block on syn ip packets.


But then the dig wouldn't work.

And if you are using NAT you will need to set up an explicit pass
through fr anything behind the router that needs to accept a connection
NOT initiated from inside the network

NAT works by maintaining forwarding tables for connections coming from
inside the network: to set one up for the reverse direction needs an
explicit rule set up.


There is no NAT at all.

--
Use the BIG mirror service in the UK: http://www.mirrorservice.org
My posts (including this one) are my copyright and if @diy_forums on
Twitter wish to tweet them they can pay me 30 a post
*lightning surge protection* - a w_tom conductor
  #5  
Old January 6th 14, 11:23 PM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 47
Default Strange router/zone transfer problem

On Mon, 06 Jan 2014 21:27:59 +0000, Richard Tobin wrote:

In article ,
Bob Eager wrote:

- with the Draytek in place, I see the UDP transfers OK. There is no
sign
of any TCP connection, even on the firewall logs, and certainly not on
the primary DNS.


Can you make a TCP connection in to the relevant port from some other
external machine?


Yes - I can do a 'dig domain axfr' and get a zone transfer.



--
Use the BIG mirror service in the UK: http://www.mirrorservice.org
My posts (including this one) are my copyright and if @diy_forums on
Twitter wish to tweet them they can pay me 30 a post
*lightning surge protection* - a w_tom conductor
  #6  
Old January 6th 14, 11:36 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default Strange router/zone transfer problem

On 06/01/14 23:22, Bob Eager wrote:
On Mon, 06 Jan 2014 22:46:40 +0000, The Natural Philosopher wrote:

On 06/01/14 21:21, Bob Eager wrote:
I'd be grateful for any advice on this one....! A techy query...

I want to change the Zyxel P660R-D1 that I currently have, and have
obtained a Draytek Vigor 2860. After a bit of fiddling, it's all
working fine, EXCEPT...

I have secondary DNS service courtesy of Gradwell (I run the
primaries).


You rn this 'inside' your adsl connected network?


Inside.


Since the router went in, Gradwell are unable to do zone transfers from
my primary DNS. I went back to the Zyxel, and the zone transfers worked
on thge next attempt (they try hourly). Went back to the Draytek and
they stopped (I've been updating zone serials to force some updates to
make it clear what's happening).


So, it seems unlikely to be a firewall problem. I have logging on the
firewall and on the DNS server:

- with the Zyxel in place, I can see a number of UDP exchanges as the
Gradwell machine gets the SOAs and checks whether a zone transfer is
necessary. In cases where it is, I see a TCP connection and the
transfer happens.
- with the Draytek in place, I see the UDP transfers OK. There is no
sign
of any TCP connection, even on the firewall logs, and certainly not
on the primary DNS.

Things to note:
- this is ADSL (PPPoA)
- the firewall machine is a separate one, interposed between a /29 net
and the main /26 (public IPs). The router is obviously on the /29.


This is not enough information. A diagram with machines and interface
addresses would be helpful.

Is the DNS server ACTUALLY on the public or private network?


On the inside network, with public IPs.

IS NAT used to translate between them?


There is no NAT at all.

- no filtering or firewall is active either on the Zyxel or the
Draytek.


They may well be default lack of routing, or NAT translations going in.


Bear in mind it all works fine on the old router.


which is obviously set up to make it work...

try from a remote source telnetting to the TCP IP port corresponding to
the DNS server.


I can do a 'dig domain axfr' from a remote source and it works fine.


not sure that uses TCP....

Remember that its conventional to always pass DNS UDP traffic on a
'noddy' home router so that DNS actually works. However you may have a
default block on syn ip packets.


But then the dig wouldn't work.

it might it it uses UDP

"+[no]tcp
Use [do not use] TCP when querying name servers.
The default behavior is to use UDP unless an AXFR or IXFR
query is requested, in which case a TCP connection is
used."

Try it both ways.

If its working and there is nothing special about the IP address you are
calling from, then its something ultimately weird.




And if you are using NAT you will need to set up an explicit pass
through fr anything behind the router that needs to accept a connection
NOT initiated from inside the network

NAT works by maintaining forwarding tables for connections coming from
inside the network: to set one up for the reverse direction needs an
explicit rule set up.


There is no NAT at all.

MM routing must be working for any traffic to work...

If you can so a zone transfer the its IS all working...except from that
site...

check logs for successful transfers and unsuccessful and compare...


--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

  #7  
Old January 6th 14, 11:40 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default Strange router/zone transfer problem

On 06/01/14 23:23, Bob Eager wrote:
On Mon, 06 Jan 2014 21:27:59 +0000, Richard Tobin wrote:

In article ,
Bob Eager wrote:

- with the Draytek in place, I see the UDP transfers OK. There is no
sign
of any TCP connection, even on the firewall logs, and certainly not on
the primary DNS.


Can you make a TCP connection in to the relevant port from some other
external machine?


Yes - I can do a 'dig domain axfr' and get a zone transfer.



gimme a dig command to try from a few machines here...



--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

  #8  
Old January 7th 14, 08:03 AM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 47
Default Strange router/zone transfer problem

On Mon, 06 Jan 2014 23:36:42 +0000, The Natural Philosopher wrote:

try from a remote source telnetting to the TCP IP port corresponding
to the DNS server.


I can do a 'dig domain axfr' from a remote source and it works fine.


not sure that uses TCP....


It does...but in fact I've forced TCP and my test still works.

And if you are using NAT you will need to set up an explicit pass
through fr anything behind the router that needs to accept a
connection NOT initiated from inside the network

NAT works by maintaining forwarding tables for connections coming from
inside the network: to set one up for the reverse direction needs an
explicit rule set up.


There is no NAT at all.

MM routing must be working for any traffic to work...

If you can so a zone transfer the its IS all working...except from that
site...

check logs for successful transfers and unsuccessful and compare...


I have....all I can see is the UDP messages for the SOAs, and then
{ nothing for new router/successful AXFR for old router }...


--
Use the BIG mirror service in the UK: http://www.mirrorservice.org
My posts (including this one) are my copyright and if @diy_forums on
Twitter wish to tweet them they can pay me 30 a post
*lightning surge protection* - a w_tom conductor
  #9  
Old January 7th 14, 12:25 PM posted to uk.telecom.broadband
Richard Tobin
external usenet poster
 
Posts: 273
Default Strange router/zone transfer problem

In article ,
Bob Eager wrote:

I have....all I can see is the UDP messages for the SOAs, and then
{ nothing for new router/successful AXFR for old router }...


Can you set up a secondary somewhere else as similar as possible
to the ISP's, and see if it has the same problem? At least you'd be
able to look at its logs.

-- Richard
  #10  
Old January 7th 14, 03:44 PM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 47
Default Strange router/zone transfer problem

On Tue, 07 Jan 2014 12:25:32 +0000, Richard Tobin wrote:

In article ,
Bob Eager wrote:

I have....all I can see is the UDP messages for the SOAs, and then {
nothing for new router/successful AXFR for old router }...


Can you set up a secondary somewhere else as similar as possible to the
ISP's, and see if it has the same problem? At least you'd be able to
look at its logs.


Not that easily. However, I've used dig to do a zone transfer from
somewhere else, and to do UDP queries, and that all works fine.

My initial response from Gradwell was not enocoraging; I gave the same
details as I gave here and they just told me to open port 53...
--
Use the BIG mirror service in the UK: http://www.mirrorservice.org
My posts (including this one) are my copyright and if @diy_forums on
Twitter wish to tweet them they can pay me 30 a post
*lightning surge protection* - a w_tom conductor
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange problem with router or DSL line Martin Underwood uk.telecom.broadband (UK broadband) 9 May 16th 07 09:18 PM
network problem with zone alarm TS uk.comp.home-networking (UK home networking) 4 October 24th 05 01:26 PM
Belkin ADSL Wireless Router and Zone Alarm problem Victor Delta uk.telecom.broadband (UK broadband) 9 August 4th 05 01:06 AM
Strange Problem With NetGear Router - Anyone Else? Java Jive uk.telecom.broadband (UK broadband) 8 April 13th 05 06:02 PM
Strange CA64E router problem Stuart Rogers uk.telecom.broadband (UK broadband) 2 May 2nd 04 11:10 AM


All times are GMT +1. The time now is 04:46 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.