Announcement

Collapse
No announcement yet.

nslookup = zone transfer ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • nslookup = zone transfer ?

    I've noticed for quite a while that my AD DC DNS servers refuse nslookup queries against AD integrated zones. "Query refused". I had assumed all along that this was a security mechanism. Fine.

    BTW, the query I'm using in nslookup command line mode is ls -d contoso.com which means "List all records in the contoso.com zone"

    I performed a little more exploring recently. On my AD DC DNS server, I created a primary zone as a test. I fully expected to be able to pull nslookup queries from this zone. To my surprise, I still got the "Query refused" message.

    Next I went to a non AD DC Windows 2003 server running DNS. This DNS server already had a few primary and secondary zones on it. Running nslookup from the console of this server against a primary zone in its local DNS database provided a slightly different error. Something to the effect that the zone transfer failed and was and I should check the zone transfer settings for the zone.

    So then I checked the zone transfers configuration. No zone transfers allowed. I enabled zone transfers and I was then able to perform nslookup queries.

    So then I go back to my original AD DC DNS server and configure one of the AD integrated zones to allow zone transfers to my machine. From my machine, I can now query DNS records in the AD integrated zone using nslookup.

    So the question is, does performing queries using nslookup constitute a zone transfer (of queried records) from the DNS server's perspective to the machine performing the nslookup? It would appear so.

    Jas
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

  • #2
    Re: nslookup = zone transfer ?

    Well yes, the LS- T command is the same as taking the zone content and transfering it.

    You should have asked me, this is "by design" in Win2003 (It wasn't so in W2K).
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Re: nslookup = zone transfer ?

      Originally posted by danielp
      You should have asked me, this is "by design" in Win2003 (It wasn't so in W2K).
      Look who's talking about "you should have asked me" <--- coming from someone who just visited Duluth, MN and didn't inform me prior to his visit I suppose you are traveling now to TechEd. I'll have to bust you up next time you come online!
      VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
      boche.net - VMware Virtualization Evangelist
      My advice has no warranties. Follow at your own risk.

      Comment


      • #4
        Re: nslookup = zone transfer ?

        LOL

        http://forums.petri.com/showthread.p...1388#post31388
        Cheers,

        Daniel Petri
        Microsoft Most Valuable Professional - Active Directory Directory Services
        MCSA/E, MCTS, MCITP, MCT

        Comment


        • #5
          Re: nslookup = zone transfer ?

          Originally posted by jasonboche
          Look who's talking about "you should have asked me" <--- coming from someone who just visited Duluth, MN and didn't inform me prior to his visit I suppose you are traveling now to TechEd. I'll have to bust you up next time you come online!
          Threatening the boss, mmmm, no beer ration for Jason next month.

          Apart from that, an interesting post Jason. Thanks. I just hope Alan Zymer allows me to remember my new found information tomorrow.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment

          Working...
          X