I‘m trying to get data (AXFR query) from master tinydns server to secondary DNS server using tcpclient as follows:
tcpclient -v a.ns.example.com 53 axfr-get example.com example.com example.com.tmp
But I’m getting an error which read as follows:
>axfr-get: fatal: unable to parse AXFR results: protocol error
How do I fix this problem?
Try the following to get rid of this problem:
Make Sure axfrdns Configured and Running
axfrdns is a DNS zone-transfer server supplied with djbdns. It reads a zone-transfer request in DNS-over-TCP format from its standard input, and responds with locally configured information. Use netstat command or sockstat command to see current port status:
# netstat -tulpn | grep :53
# sockstat -4 -p 53
Make Sure TCP port 53 is Open For Business
Make sure firewall is not blocking tcp port # 53. Use iptables command to list current firewall rules:
# iptables -L -n
# iptables -L -n | less
# iptables -L -n | grep 53
PF firewall rules can be listed using the following command:
# pfctl -sr
# pfctl -sr | grep "port = domain"
How Do I Open TCP Port # 53 under Linux Iptables Firewall?
Update your script as follows (assuming that 184.108.40.206 is tinydns / axfrdns server address):
$IPT -A INPUT -i eth0 -s 0/0 -d 220.127.116.11 -p udp --dport 53 -j ACCEPT $IPT -A INPUT -i eth0 -s 0/0 -d 18.104.22.168 -p tcp --dport 53 -j ACCEPT
How Do I Open TCP Port # 53 under *BSD PF Firewall?
Update your /etc/pf.conf as follows (assuming that 22.214.171.124 is tinydns / axfrdns server address):
pass in on $ext_if inet proto udp from any to 126.96.36.199 port domain pass in on $ext_if inet proto tcp from any to 188.8.131.52 port domain flags S/SA synproxy state
Make Sure TCPRULES are Set Correctly For axfrdns
tcp file defines rules for AXFR. The following will allow only AXFR to ns2.example.com but not to the rest of the world (tcp file is located at /etc/axfardns or /var/axfardns directory):
Save and close the file. Run make to update changes:
Only ns2.example.com is allowed to transfer zone, others can only connect to TCP port 53.
Troubleshooting Tip: Dig and tcpclient Command
Try tcpclient command as follows:
$ tcpclient -v ns1.example.com 53 axfr-get example.com fn fn.tmp
Try passing client IP to ns1.example.com (this is required if you’ve multiple IP address):
$ tcpclient -i ns2.example.com -v ns1.example.com 53 axfr-get oxdba.net fn fn.tmp
Try dig command as follows:
$ dig @ns1.example.com example.com A +tcp
$ dig @ns1.example.com example.com AXFR +tcp