Sunday, November 17, 2019

DNS Zone Transfer- All that you need to Know


Zone transfer after 'Refresh' time Interval


Every SOA record (for a valid zone) will have 'REFRESH' TTL value. Let us consider the zone ‘abc.com’. The SOA record would look something as shown below:




The REFRESH TTL value indicates how frequently the secondary DNS Server should query the Primary DNS server to find if zone data is current or not. In the above example we have defined the refresh value as 3 hours. So, the secondary server would do a SOA query to its Primary DNS server every 3 hours and see if the zone data copy that it holds is the current or not. It confirms this by looking at the serial number of the SOA record.

Note: Each time the zone gets modified; the serial number of the zone gets updated.
If it finds that the serial number of the SOA response that the secondary got with what it has is different; then the Secondary server; initiates IXFR/AXFR.

Pre-conditions for Zone transfer:


1.    Recursion should be enabled for the Secondary server.
2.    The Secondary server should be able to resolve the ‘MNAME’ that it gets from the SOA record

Now let’s look at Zone transfer process.

The zone transfer is a 5-step process. Below is a Work-Flow:


We will go through the complete process step- by step.



Step 1: When there is a change in serial number of the zone

Primary DNS Server sends NOTIFY Message to its known Secondary DNS Server.

This occurs mainly when:

- Manually Incrementing the Serial Number of a zone.
- Change zone data on Primary via Dynamic Update, addition, modification of record etc.

When the Serial Number changes, the Primary DNS Server will send a NOTIFY message to all its Secondary DNS Servers. This NOTIFY message acts as a mechanism to inform the Secondary that there is a change in zone data on the Primary DNS Server.

NOTIFY messages are also initiated when the named process is restarted on the Primary DNS Server.

Below traffic capture shows the notification sent by Primary to Secondary server:


As soon as the secondary server gets the NOTIFY; the action from the Secondary server would be to initiate an SOA query to the Primary DNS Server.

Step 2: Secondary server sends an SOA Query

The secondary is looking for the serial number difference.



Step 3: Primary Sends an SOA Response


The secondary DNS Server compares the Serial Number in this SOA response from the Primary with its own database and if there is a change in the Serial Number value, the Secondary server will send an IXFR/AXFR query to the Primary requesting for a Zone Transfer.




Note: The request could be IXFR (small increments) or AXFR (large chucks of data)

Step 4:  Secondary server Initiates IXFR/AXFR REQUEST

The Secondary identifies that the serial number is different from what it has in its database and it initiates an IXFR/AXFR request to its Primary DNS server.





Step 5: Primary sends the latest data to the Secondary.

As the last step; the Primary sends its latest data to the secondary.





Note: In many documentation and articles; you may find Primary Server referred as Master and Secondary referred as Slave.

No comments:

Post a Comment

PING - Useful Tips

PING (Packet InterNet Groper) is a utility used for testing network connectivity between 2 systems. When we say system; this...