Using dig axfr to perform a zone transfer from a Windows Server 2012 DNS server

digdomain-name-systemwindows-server-2012

I'm working on setting up host auto-discovery for Nagios using DNS records.

When I try to use dig axfr to do a zone transfer (dig axfr local.domain.com), however, I get the following output:

[jwestbury@nagiosv local]# dig AXFR local.domain.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> AXFR local.domain.com
;; global options: +cmd
; Transfer failed.

The DNS server I'm querying is not showing anything in its logs for this query. If I change the domain to a non-existent one, I do see an entry in the DNS Server logs in Event Viewer, so I know the queries are hitting the DNS server fine.

Is there something special I need to do in order to allow AXFR transfers from the Nagios machine? Or is there somewhere else I should be looking for logs on the Nagios machine to indicate what might have happened when I tried to perform the transfer?

Any help would be appreciated. Thanks.

Best Answer

You need to enable and allow Zone Transfers for the zone you want to transfer. You can configure this on the Zone Transfers tab of the zone's properties pages.

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse.              7200 IN A 162.252.205.157
bad.horse.              7200 IN CAA 0 issue "letsencrypt.org"
bad.horse.              7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse.              7200 IN MX 10 mx.sandwich.net.
bad.horse.              7200 IN NS a.sn1.us.
bad.horse.              7200 IN NS b.sn1.us.
bad.horse.              7200 IN SOA a.sn1.us. n.sn1.us. (
                                2017032202 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.

DNS zone transfer (AXFR) failing

To narrow down the cause of the problem can you add a 4th IP that of your Linode to the AFXR ACL. After doing that the following commands should echo the DNS records on the screen.

host -l domain.com axfr1.dnsmadeeasy.com
host -l domain.com axfr2.dnsmadeeasy.com

If this works it will confirm that dnseasy is providing the axfr's and there is a problem on Linode's end.

Best Answer

Related Solutions

List all DNS records in a domain using dig

Answer

Example

Caveats (RFC8482)

DNS zone transfer (AXFR) failing

Related Topic