What's the output of:
netstat -an | grep 53
Oops - sorry - forgot MS :)
netstat -an
Something is blocking 53 somewhere to that server - On the Windows server - is there a level of security set that limits access to a certain group of servers? Similiar to allow_update in BIND?
From windowssecurity.com:
Knowing how to control zone transfers is tremendously significant while securing DNS servers in a Windows environment. Windows 2000 allows for the alteration of the access lists available for each individual zone controls and zone transfer. Zone transfers are responsible for the movement of all the records for a particular zone from a respective server to the other and it is particularly to note that the forward lookup zone should not be transferred to a DNS server that contains Windows 2000 domain information to any server outside the Windows 2000 domain. This can be done in the Zone transfer tab of the properties of the specific domain name in the DNS MMC.
If you like you can specify a list of IP address to witch you can allow zone transfers to. This option allows for granular control of zone transfers through a list of IP addresses and only IP addresses that are reflected on the list will be authorized candidates for possible zone transfers. This option increases DNS zone transfer security significantly and it is recommended practice that this option is used where possible as it reduces the chance of an unauthorized zone transfer. This option is activate in the Zone Transfer tab of the properties of the domain name in the DNS MMC. If you would like to enable the no zone transfer mode it is advisable if you are sure that your zones will not b transferred. This setting is extremely secure and does not pose a treat as there is no opportunity for the possibility of an impersonation or spoof of a clone zone transfer sever. This strategy is recommended for organizations like banks and military operations where a zone transfer can have catastrophic consequences.
When setting up your Router and Firewall Settings you can ensure that only specific IP addresses can query your DNS servers like your ISP DNS servers or a branch office that is connected via the internet. DNS traffic is transmitted on UDP and TCP port 53. This requires the firewall and router to have these ports open allowing clients and other servers to make use of DNS.
All client queries are transmitted on UDP port 53 and TCP port 53 is used for zone transfers. Traditionally zone transfers outside of the protected Network so TCP port 53 should be avoided. Zone transfer port namely TCP port 53 should be blocked at the Internal, External, Firewall, and DMZ routers. If the DNS is configured to allow reverse lookup zone transfers between the Internal and External DNS servers the Internal Router, Firewall, and DMZ router should allow connections on TCP port 53 between the Internal and External DNS only.
Securing the location of zone information that a DNS server uses is vital when ensuring organizations wellbeing on the internet it is recommended that the DNS server be converted to active directory integrated zone the advantages of this zone type offers are great and include the zone information being stored, replicated, and secured in the Active Directory.
If this feature is used an ├в Only secure updates├в option is enabled for Dynamic Updates.
This option is recommended when allowing dynamic updates, which is a necessary feature for a Windows 2000 domain. Ensure that only the system and administrators have full control of the %SystemDirectory%\DNS directory and subfolders and that the all DNS servers have the registry secured. Secure the DNS servers registry by ensuring that HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\DNS is assigned to administrators and system to have full control.
Rgds..G
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
