jasonbocheMemberJun 09, 2006 at 9:07 pm #113497
I’ve noticed for quite a while that my AD DC DNS servers refuse nslookup queries against AD integrated zones. “Query refused”. I had assumed all along that this was a security mechanism. Fine.
BTW, the query I’m using in nslookup command line mode is ls -d contoso.com which means “List all records in the contoso.com zone”
I performed a little more exploring recently. On my AD DC DNS server, I created a primary zone as a test. I fully expected to be able to pull nslookup queries from this zone. To my surprise, I still got the “Query refused” message.
Next I went to a non AD DC Windows 2003 server running DNS. This DNS server already had a few primary and secondary zones on it. Running nslookup from the console of this server against a primary zone in its local DNS database provided a slightly different error. Something to the effect that the zone transfer failed and was and I should check the zone transfer settings for the zone.
So then I checked the zone transfers configuration. No zone transfers allowed. I enabled zone transfers and I was then able to perform nslookup queries.
So then I go back to my original AD DC DNS server and configure one of the AD integrated zones to allow zone transfers to my machine. From my machine, I can now query DNS records in the AD integrated zone using nslookup.
So the question is, does performing queries using nslookup constitute a zone transfer (of queried records) from the DNS server’s perspective to the machine performing the nslookup? It would appear so.
You must be logged in to reply to this topic.