Workstations should be in the highest security NIC & therefore should be able to connect to the DNS servers on a DMZ with no doctoring. In some cases people use an alias to translate the internal IP of the DNS server to the external for users inside the firewall trying to reach the DNS server. If that is your case, try looking up alias commands. Otherwise, it's all enabled outbound unless access-list commands are enabled from inside -> DMZ.
----- Original Message ----- From: "Godswill HO" To: Sent: Saturday, January 26, 2002 9:43 PM Subject: Re: PIX % DNS Doctoring [7:33331] > Hi, > > It really depends on what you want to do or implement for the DNS. The DNS > guard on PIX is enabled by default and it cannot be disabled not configured. > It help to prevent against DoS attacks by tearing down the UDP conduit on > the PIX firewall as soon as the DNS response is received not waiting until > thee the default UDO timer has expire which is 2 minutes( almost an eternity > in the computer world). > > The other doctoring you can do on DNS is on CBAC (Context Based Access > Control). Here you can alter the default DNS timeout which is 5 seconds by > using: > > #IP inspect dns-timeout > > It simplyly specifies the length of time a DNS name lookup session will > still be managed after no activity. > > In case you need further help, feel free to ask specific questions. > > Regards. > Oletu > > ----- Original Message ----- > From: Dante Martins > To: > Sent: Saturday, January 26, 2002 4:58 PM > Subject: PIX % DNS Doctoring [7:33331] > > > > Somebody knows how to do DNS doctoring on PIX > > I have the DNS on DMZ with static and the clients workstations are on > > inside interface. > > Dante > > > > > > ________________________________________________________________________ > > This email has been scanned for all viruses by the MessageLabs service. > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33347&t=33331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
