|
The FortiOS can be the slave for a DNS zone and transfer all the records from the Master.
There are two mechanism to DNS zone transfer:
Polling scheme.
The slave poll on specific interval the master to determine when it needs a zone transfer. Timers parameters in the zone's SOA record govern the timer to get the records.
The AXFR query refers to the protocol used during a DNS zone transfer, the slave initiated request to master, and it gets the entire zone.
DNS NOTIFY.
Mechanism that allow master name servers to notify the slaves of changes to a zone's data.
When a primary master name server notices that the serial number of a zone has changed, it sends a special announcement to all of the slave name servers for that zone.
Often, there are issues during DNS transfer zone from Master to Slave and with FortiOS to troubleshoot the process with dnsproxy debug and sniffer packets.
Topology.
FortiGate port1 (172.16.65.132) -- > DNS Server (172.16.65.131)
FortiGate configuration.
# config system dns-database
edit "test_markoz_com"
set domain "markoz.com"
set type secondary
set source-ip 172.16.65.132
set ip-primary 172.16.65.131
next
end
# config system dns-server
edit "port1"
next
end
SUCCESS DNS ZONE TRANSFER.
When the DNS Master suffer a record update and the records sends a DNS NOTIFY to slave with a new zone's serial number.
Slave checks is done if the zone's serial number has incremented and initiates a zone transfer with AXFR query.
Following CLI output the serial has increased and the smtp.markoz.com record was updated.
FortiGate-VM64 # diagnose test application dnsproxy 8
worker idx: 0
vfid=0 name=test_markoz_com domain=markoz.com ttl=86400 authoritative=1 view=shadow type=secondary serial=2507202201 refresh=604800
A: ns1.markoz.com-->172.16.65.131(604800)
A: smtp.markoz.com-->172.16.65.131(604800)
A: www.markoz.com-->172.16.65.131(604800)
SOA: markoz.com (primary: markoz.com, contact: admin@markoz.com, serial: 2507202201)(604800)
NS: markoz.com-->ns1.markoz.local(604800)
FortiGate-VM64 # diagnose test application dnsproxy 8
worker idx: 0
vfid=0 name=test_markoz_com domain=markoz.com ttl=86400 authoritative=1 view=shadow type=secondary serial=2507202202 refresh=604800
A: ns1.markoz.com-->172.16.65.131(604800)
A: smtp.markoz.com-->172.16.65.134(604800)
A: www.markoz.com-->172.16.65.131(604800)
SOA: markoz.com (primary: markoz.com, contact: admin@markoz.com, serial: 2507202202)(604800)
NS: markoz.com-->ns1.markoz.local(604800)
The dnsproxy debug show the process.
Two different zone's serial number means a DNS master most recent update.
FortiGate-VM64 # diagnose debug application dnsproxy -1
FortiGate-VM64 # diagnose debug enable
[worker 0] udp_receive_request()-2961: vd=0, vrf=0, intf=3, len=70, alen=16, 172.16.65.131:55046=>172.16.65.132
[worker 0] handle_dns_request()-2310: vfid=0 real_vfid=0 id=0x70f9 pktlen=70 qr=0 req_type=3
[worker 0] dns_parse_message()-603
[worker 0] get_intf_policy()-1310: ifindex=3
[worker 0] dns_local_lookup()-2458: vfid=0 qname=markoz.com, qtype=6, qclass=1, offset=28, map#=2 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=markoz.com
[worker 0] dns_local_lookup()-2509: found zone=test_markoz_com domain=markoz.com
[worker 0] dns_local_lookup()-2550: zone=markoz.com received dns notify request (start refreshing)
[worker 0] dns_query_save_response()-2528: domain=markoz.com pktlen=70
[worker 0] dns_send_response()-1514: domain=markoz.com reslen=70
[worker 0] __dns_udp_forward_response()-1401
[worker 0] __dns_udp_forward_response()-1413: vd-0 Send 70B via fd=10, family=2
[worker 0] __dns_udp_forward_response()-1416: set svf of fd to 0
[worker 0] __dns_udp_forward_response()-1460: vd=0 send 70B response 172.16.65.132:53=>172.16.65.131:55046
[worker 0] dns_query_delete()-538: orig id:0x70f9 local id:0x0000 domain=markoz.com non-active
[worker 0] udp_receive_request()-2906
[worker 0] dnszone_refresh_timer_fn()-1641: zone=markoz.com
[worker 0] dnszone_refresh_timer_fn()-1695: zone=markoz.com created refresh process 784
[worker 0] dnszone_secondary_start_axfr()-1514: zone=markoz.com
[worker 0] dnszone_secondary_start_axfr()-1536: zone=markoz.com refreshing, source_ip=172.16.65.132 is used
[worker 0] dnszone_secondary_check_status()-1079: zone=markoz.com sending SOA request (id=0xec63)
[worker 0] dnszone_secondary_check_status()-1120: zone=markoz.com received SOA response (id=0xec63 rcode=0)
[worker 0] dnszone_secondary_check_status()-1174: received serial=-1787765094, local serial=-1787765095
[worker 0] dnszone_secondary_request_axfr()-1203: zone=markoz.com sending AXFR request (id=0x8094)
[worker 0] dnszone_secondary_request_axfr()-1280: zone=markoz.com received AXFR response (id=0x8094 rcode=0)
[worker 0] dnszone_secondary_request_axfr()-1457: zone=markoz.com sending rr to parent
[worker 0] dnszone_refresh_parent_read()-1599: zone=markoz.com received rr from child
[worker 0] dnszone_secondary_request_axfr()-1467: zone=markoz.com wating for confirmation
[worker 0] dnszone_secondary_request_axfr()-1457: zone=markoz.com sending rr to parent
[worker 0] dnszone_refresh_parent_read()-1599: zone=markoz.com received rr from child
[worker 0] dnszone_secondary_request_axfr()-1467: zone=markoz.com wating for confirmation
[worker 0] dnszone_secondary_request_axfr()-1457: zone=markoz.com sending rr to parent
[worker 0] dnszone_refresh_parent_read()-1599: zone=markoz.com received rr from child
[worker 0] dnszone_secondary_request_axfr()-1467: zone=markoz.com wating for confirmation
[worker 0] dnszone_secondary_request_axfr()-1457: zone=markoz.com sending rr to parent
[worker 0] dnszone_refresh_parent_read()-1599: zone=markoz.com received rr from child
[worker 0] dnszone_secondary_request_axfr()-1467: zone=markoz.com wating for confirmation
[worker 0] dnszone_secondary_request_axfr()-1457: zone=markoz.com sending rr to parent
[worker 0] dnszone_refresh_parent_read()-1599: zone=markoz.com received rr from child
[worker 0] dnszone_secondary_request_axfr()-1467: zone=markoz.com wating for confirmation
[worker 0] dnszone_secondary_request_axfr()-1338: last record received
[worker 0] dnszone_child_reap()-919: pid=784
[worker 0] dnszone_child_reap()-928: zone=markoz.com refresh process exited=1 status=0
[worker 0] dnsentry_del()-239: name=ns1.markoz.com type=1
[worker 0] dnsentry_del()-239: name=smtp.markoz.com type=1
[worker 0] dnsentry_del()-239: name=www.markoz.com type=1
[worker 0] dnsentry_del()-239: name=markoz.com type=6
[worker 0] dnsentry_del()-239: name=markoz.com type=2
[worker 0] dnszone_child_reap()-1003: zone=markoz.com refreshed (serial=-1787765094, refresh=604800)
The following capture shows the process.
FAILURE DNS ZONE TRANSFER.
The DNS Zone transfer failure because the zone's serial number has not been incremented.
As a result, the DNS transfer zone stop after SOA's serial number validation and the AXFR query was not send.
[worker 0] batch_on_read()-3291
[worker 0] udp_receive_request()-2906
[worker 0] udp_receive_request()-2961: vd=0, vrf=0, intf=3, len=70, alen=16, 172.16.65.131:32855=>172.16.65.132
[worker 0] handle_dns_request()-2310: vfid=0 real_vfid=0 id=0x1947 pktlen=70 qr=0 req_type=3
[worker 0] dns_parse_message()-603
[worker 0] get_intf_policy()-1310: ifindex=3
[worker 0] dns_local_lookup()-2458: vfid=0 qname=markoz.com, qtype=6, qclass=1, offset=28, map#=2 max_sz=512
[worker 0] dns_lookup_aa_zone()-608: vfid=0, fqdn=markoz.com
[worker 0] dns_local_lookup()-2509: found zone=test_markoz_com domain=markoz.com
[worker 0] dns_local_lookup()-2550: zone=markoz.com received dns notify request (start refreshing)
[worker 0] dns_query_save_response()-2528: domain=markoz.com pktlen=70
[worker 0] dns_send_response()-1514: domain=markoz.com reslen=70
[worker 0] __dns_udp_forward_response()-1401
[worker 0] __dns_udp_forward_response()-1413: vd-0 Send 70B via fd=10, family=2
[worker 0] __dns_udp_forward_response()-1416: set svf of fd to 0
[worker 0] __dns_udp_forward_response()-1460: vd=0 send 70B response 172.16.65.132:53=>172.16.65.131:32855
[worker 0] dns_query_delete()-538: orig id:0x1947 local id:0x0000 domain=markoz.com non-active
[worker 0] udp_receive_request()-2906
[worker 0] dnszone_refresh_timer_fn()-1641: zone=markoz.com
[worker 0] dnszone_refresh_timer_fn()-1695: zone=markoz.com created refresh process 818
[worker 0] dnszone_secondary_start_axfr()-1514: zone=markoz.com
[worker 0] dnszone_secondary_start_axfr()-1536: zone=markoz.com refreshing, source_ip=172.16.65.132 is used
[worker 0] dnszone_secondary_check_status()-1079: zone=markoz.com sending SOA request (id=0x9431)
[worker 0] dnszone_secondary_check_status()-1120: zone=markoz.com received SOA response (id=0x9431 rcode=0)
[worker 0] dnszone_secondary_check_status()-1174: received serial=-1787765094, local serial=-1787765094
[worker 0] dnszone_child_reap()-919: pid=818
[worker 0] dnszone_child_reap()-928: zone=markoz.com refresh process exited=1 status=0
[worker 0] dns_query_check_timeout()-601: jiffies=851591
[worker 0] dns_ext_resource_timer_fn()-2535: checking for ext resource shm updates
The following sniffer packet shows the process. The last validation was the SOA's serial number.
 |
