DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860 problems with zone transfers

More
08 Jan 2014 14:15 #78689 by rde42
2860 problems with zone transfers was created by rde42
My 2860 replaced a Zyxel P660R-D1.

The 2860 sits on a LAN with only one other machine - the dedicated firewall - and has a static route to the real LAN behind that. There is no NAT - all IP addresses are public (a /29 on the Vigor's LAN and a /26 inside the firewall). Only one port on the Vigor is really used - port 2 (port 1 has a dedicated web management connection - don't ask). The ISP is AAISP, and it's ADSL rather than VDSL (at present).

I have disabled all filtering/firewall on the Vigor.

On the LAN is the primary DNS server - I buy secondary DNS from Gradwell, and operate the primary as a 'hidden primary'.

What should happen is that Gradwell check, hourly, for zone updates, and then do zone transfers to the secondaries if needed. This worked fine on the Zyxel, but fails on the Vigor. If I put the Zyxel back it works again, so it's not an issue with the firewall machine. With the Zyxel, I see some UDP exchanges as Gradwell check the SOA records, followed by a TCP connection and transfer for the zone update. With the Vigor, I see the UDP conversation (at the primary DNS) but no TCP.

I repeat that the setup is the same for both routers. Even more strangely, I can force a TCP zone transfer from another external system on both routers.

In summary, only Gradwell zone transfers seem to fail, and only with the Vigor. Gradwell are finger pointing at the Vigor (when they actually bother to read what I've written, which took a couple of goes).

Is there something subtle I need to do on the Vigor, or is there a known firmware problem? It's a vanilla 2860 with firmware 3.7.3.3.

Thanks

Please Log in or Create an account to join the conversation.

More
09 Jan 2014 12:41 #78694 by rde42
Replied by rde42 on topic Re: 2860 problems with zone transfers
It's beginning to look as if the Vigor is filtering DNS requests - I think the SOA query is being replied to by the DNS server, but the Vigor is blocking that reply (coming from port 53). UDP only - works OK with TCP.

Has anyone come across this, and/or knows any way to stop the Vigor from doing ANY DNS filtering at all?

Please Log in or Create an account to join the conversation.

More
16 Jan 2014 15:45 #78744 by phyber
Replied by phyber on topic Re: 2860 problems with zone transfers

rde42 wrote: Has anyone come across this, and/or knows any way to stop the Vigor from doing ANY DNS filtering at all?


It looks like they broke it when introducing the "DNS Filter" stuff. I guess they don't regression test at Draytek. Browsing these forums, it looks like the same thing happened on the Vigor 2830 after the DNS Filter was introduced too.
In addition to SOA being filtered, TXT is also being filtered. It's possible that requests using EDNS0 are affected too. I find that when I toggle dnssec-validation on on my recursive resolver (bind9) that the majority of DNS queries fail.
None of this was an issue before the Vigor 2860.

I'm wondering if running the current international firmware (3.7.3.3, from Nov 13 2013) in the UK is possible. Going off the Vigor 2830 thread, this issue seemed to be fixed in the next 2830 firmware when they fixed "A problem occurs when DNS response in VLAN tag." and "The router drops negative AAAA name server responses from different subnets.".

Please Log in or Create an account to join the conversation.

Moderators: Sami