 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'m0n0wall mailling list'" <m0n0wall at lists dot m0n0 dot ch>
 Cc:  "'Sven Kobow'" <s dot kobow at maul dash theet dot de>
 Subject:  RE: [m0n0wall] Problems with DNS server replication
 Date:  Thu, 2 Sep 2004 10:19:40 -0400
I think you need two rules:

Interface Source  : Port -> Dest    : Port
DMZ       <BIND>  : 53   -> <MS DNS>: 53
LAN       <MS DNS>: 53   -> <BIND>  : 53 

<BIND> being your Linux box on your DMZ
<MS DNS> being your Microsoft box on LAN (AT from the syslog

I would suggest setting up alias for your MS and Linux Box - these are just
shortcuts for creating firewall and NAT rules. In other words you can use
the name of your box instead of the IP address when creating rules. The
other advantage is that if you need to change the IP of a server, do not
need to edit *ALL* the rules - just the alias.

If the rules don't work, it could be a problem with the Microsoft DNS not
accepting the connection from the Linux box. I am assuming that this worked
before you setup the m0n0wall. On the zone in question, is the Linux box
listed as a Name Server for the zone (I assume yes)? Is zone transfers
enabled (mine is *NOT* by default - SBS2003)? Is the Linux box shown as
"allowed" to zone transfer? What IPs are shown - have these changed?

James W. McKeand

-----Original Message-----
From: Sven Kobow [mailto:s dot kobow at maul dash theet dot de] 
Sent: Thursday, September 02, 2004 6:21 AM
To: m0n0wall mailling list
Subject: [m0n0wall] Problems with DNS server replication


I need the following problem to be solved:

I got my internal net and a DMZ 192.168.0./24 connected by
m0n0wall. In both subnets are DNS (MS DNS internal, BIND DMZ) servers. The
DNS server in my internal net has the master zone for my domain and the DNS
in the DMZ has a slave zone. The problem is that replication does not work
properly. I checked syslog on my Linux box running BIND and found:

Sep  2 12:13:30 <LINUXBOX> /usr/sbin/named[11906]: refresh_callback:
zone foo.bar/IN: failure for timed out Sep  2 12:13:30
<LINUXBOX> /usr/sbin/named[11906]: refresh_callback:
zone foo.bar/IN: retries exceeded

I need to know how to setup rules for this to work!