CCIE Written: DNS and NAT [7:29461]
Does any body have good resource that explains how NAT on the firewall works with DNS? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29461&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Written: DNS and NAT [7:29461]
John- specifically what is your question ??? I've had to do a lot of DNS related research these past few months (using Meta, Garner, White Papers, Berkley, Microsoft, etc.), but I don't believe I have seen specific issues with NAT and DNS. The Firewalls must be configured to pass UDP port 53 and can enforce an access-list only to allow certain servers (say the ISPs primary and yours), TSIG (BIND), or to proxy. With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT portion plays no roll. As the query moves, @ no time should the DNS server being polled need to cache the resolver's information (does this makes sense ???). I guess, what I am trying to say is that it does not matter is I am requesting from a global IP address or a private 10.0.0.0 address. If your lookup is recursive or iterative, the firewall has a state table, NAT statistics, or a PAT lookup (UNIX programs refer to it as IP Masquerading), mapping it back to the resolver (be it PC or file server) that initiated the lookup. I believe I may not have answered your question Let me know- I never was asked to deliver my DNS presentation and Im still miffed Ive been studying such a boring subject as of late :-) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tafasi Sent: Tuesday, December 18, 2001 3:37 AM To: [EMAIL PROTECTED] Subject: CCIE Written: DNS and NAT [7:29461] Does any body have good resource that explains how NAT on the firewall works with DNS? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29478&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Written: DNS and NAT [7:29461]
you said all that needed to be said... basically, udp port 53 needs to be allowed through (tcp for zone xfers) so if you have a static translation to a dns server in a dmz from the outside you acl would look similar to this. (pix) access-list outside permit udp any host 63.203.193.205 eq 53 with a static statement of static (inside,outside) 63.203.193.205 10.70.48.50 netmask 255.255.255.255 0 0 for hosts on the inside interface (or a higher security interface) that need to access dns on the internet, a nat and global statement are needed (perhaps with an overload switch) in which case the state of the connection woud be kept up within the firewall and will look similar to this. PAT Global 63.203.193.205(59378) Local 10.11.51.90(1058) -Patrick >>> "Phil" 12/18/01 11:12AM >>> John- specifically what is your question ??? I've had to do a lot of DNS related research these past few months (using Meta, Garner, White Papers, Berkley, Microsoft, etc.), but I don't believe I have seen specific issues with NAT and DNS. The Firewalls must be configured to pass UDP port 53 and can enforce an access-list only to allow certain servers (say the ISPs primary and yours), TSIG (BIND), or to proxy. With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT portion plays no roll. As the query moves, @ no time should the DNS server being polled need to cache the resolver's information (does this makes sense ???). I guess, what I am trying to say is that it does not matter is I am requesting from a global IP address or a private 10.0.0.0 address. If your lookup is recursive or iterative, the firewall has a state table, NAT statistics, or a PAT lookup (UNIX programs refer to it as IP Masquerading), mapping it back to the resolver (be it PC or file server) that initiated the lookup. I believe I may not have answered your question Let me know- I never was asked to deliver my DNS presentation and Im still miffed Ive been studying such a boring subject as of late :-) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tafasi Sent: Tuesday, December 18, 2001 3:37 AM To: [EMAIL PROTECTED] Subject: CCIE Written: DNS and NAT [7:29461] Does any body have good resource that explains how NAT on the firewall works with DNS? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29484&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Written: DNS and NAT [7:29461]
John Here's a link to a doc that talks about how NAT translates DNS replies: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htm HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Tafasi Sent: Tuesday, December 18, 2001 3:37 AM To: [EMAIL PROTECTED] Subject: CCIE Written: DNS and NAT [7:29461] Does any body have good resource that explains how NAT on the firewall works with DNS? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29486&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Written: DNS and NAT [7:29461]
Why.. It is not on the test.. ""John Tafasi"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Does any body have good resource that explains how NAT on the firewall works > with DNS? > > > Thanks > > John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29610&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Written: DNS and NAT [7:29461]
Thanks Phil and every body for your efforts to answer my questions. To be more specific, I have included the scenario that caused me to start this thread. Visit the link below and view the graphic and the solution to the scenario. Click here and wait until the word document loads I will post more DNS-NAT scenarios later for discussions. So please stay tune. Thanks John Tafasi ""Phil"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > John- specifically what is your question ??? I've had to do a lot of > DNS related research these past few months (using Meta, Garner, White > Papers, Berkley, Microsoft, etc.), but I don't believe I have seen > specific issues with NAT and DNS. The Firewalls must be configured to > pass UDP port 53 and can enforce an access-list only to allow certain > servers (say the ISPs primary and yours), TSIG (BIND), or to proxy. > With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT > portion plays no roll. As the query moves, @ no time should the DNS > server being polled need to cache the resolver's information (does this > makes sense ???). I guess, what I am trying to say is that it does not > matter is I am requesting from a global IP address or a private 10.0.0.0 > address. If your lookup is recursive or iterative, the firewall has a > state table, NAT statistics, or a PAT lookup (UNIX programs refer to it > as IP Masquerading), mapping it back to the resolver (be it PC or file > server) that initiated the lookup. > > I believe I may not have answered your question > > Let me know- I never was asked to deliver my DNS presentation and Im > still miffed Ive been studying such a boring subject as of late :-) > Phil > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > John Tafasi > Sent: Tuesday, December 18, 2001 3:37 AM > To: [EMAIL PROTECTED] > Subject: CCIE Written: DNS and NAT [7:29461] > > Does any body have good resource that explains how NAT on the firewall > works > with DNS? > > > Thanks > > John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29631&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Written: DNS and NAT [7:29461]
Thanks Phil and every body for your efforts to answer my questions. To be more specific, I have included the scenario that caused me to start this thread. Visit the link below and view the graphic and the solution to the scenario. (watch the wrap around the link) http://us.f1.yahoofs.com/users/2362c12b/bc/Questions/NAT-DNS1.doc?bcGtOc8AMR WqvCn2 I will post more DNS-NAT scenarios later for discussions. So please stay tune. Thanks John Tafasi ""Phil"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > John- specifically what is your question ??? I've had to do a lot of > DNS related research these past few months (using Meta, Garner, White > Papers, Berkley, Microsoft, etc.), but I don't believe I have seen > specific issues with NAT and DNS. The Firewalls must be configured to > pass UDP port 53 and can enforce an access-list only to allow certain > servers (say the ISPs primary and yours), TSIG (BIND), or to proxy. > With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT > portion plays no roll. As the query moves, @ no time should the DNS > server being polled need to cache the resolver's information (does this > makes sense ???). I guess, what I am trying to say is that it does not > matter is I am requesting from a global IP address or a private 10.0.0.0 > address. If your lookup is recursive or iterative, the firewall has a > state table, NAT statistics, or a PAT lookup (UNIX programs refer to it > as IP Masquerading), mapping it back to the resolver (be it PC or file > server) that initiated the lookup. > > I believe I may not have answered your question > > Let me know- I never was asked to deliver my DNS presentation and Im > still miffed Ive been studying such a boring subject as of late :-) > Phil > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > John Tafasi > Sent: Tuesday, December 18, 2001 3:37 AM > To: [EMAIL PROTECTED] > Subject: CCIE Written: DNS and NAT [7:29461] > > Does any body have good resource that explains how NAT on the firewall > works > with DNS? > > > Thanks > > John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29632&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Written: DNS and NAT [7:29461]
>Why.. It is not on the test.. The test is not the world, the Day After. Wasn't that a James Bond movie? >""John Tafasi"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> Does any body have good resource that explains how NAT on the firewall >works >> with DNS? >> >> >> Thanks >> > > John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29634&t=29461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]