# named-xfer NOGO but nslookup works...



## monkeyboy (Jul 7, 2009)

I'm trying to understand the nature of the apparent firewall block at our institution... I have a name server set up within the firewall. A named-xfer query from outside the firewire to my name server FAILS (just hangs). BUT single nslookup's from outside to my name server work fine. Also named-xfer's from within the firewire work fine also.

How is that? I thought all such name/domain queries work off of port 53... so why does named-xfer fail but nslookup succeed?

The practical effect is that my name server seems to work fine as a name server EXCEPT it is not able to feed a secondary name server outside with its required info.

thx


----------



## DutchDaemon (Jul 7, 2009)

Transfers use tcp/53, lookups use udp/53 (and sometimes tcp/53 when the replies are too big). Open tcp/53, and tell BIND to restrict transfers to trusted IPs.


----------



## vivek (Jul 8, 2009)

DutchDaemon said:
			
		

> tell BIND to restrict transfers to trusted IPs.


A better solution is to tell BIND to restrict transfers to those who have transaction signatures (TSIG) keys only. This make spoofing very difficult.


----------



## monkeyboy (Jul 8, 2009)

thx guys...


----------

