DNS Behind the firewall [7:53016]
My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53016t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
Put the foward address in the DNS table From: Curious Date: 2002/09/10 Tue PM 03:05:40 EDT To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53021t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53023t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53026t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
Does your access-list look like this: Access-list 100 permit udp any host a.b.c.d eq domain Where a.b.c.d is the EXTERNAL address ? That is what I see wrong most often. Thanks Larry -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 3:41 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53032t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
O Yes! -- Curious MCSE, CCNP Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does your access-list look like this: Access-list 100 permit udp any host a.b.c.d eq domain Where a.b.c.d is the EXTERNAL address ? That is what I see wrong most often. Thanks Larry -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 3:41 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53033t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
I am amazed at some of the responses that people posted here (not the person
who posted the original question).
1) If you are running DNS server on Microsoft Winblows, sorry I can't help
you,
2) If you running it on Unix/Linux platform, be sure to look at the
/etc/named.conf
configuration file. Make sure you change the IP address in this file to
reflect
the new Private VLAN IP. For example:
options {
directory /var/named;
listen-on port 53 { 172.17.1.254; };
};
I assume that you NATed this 172.17.1.254 to a public IP address and
allow both
TCP and UDP port 53 access to this machine (TCP for zone transfer and UDP
for
DNS querry).
Restart your named daemon. If you use Linux like I am, do service named
restart and bind will restart. Look for error in the /var/log/messages
file to check
if there are errors with named.
I have the same exact configuration that you have and it works just fine.
If you run DNS on Linux, send me your named.conf configuration and I can
help
you
Curious wrote:I am Permitting UDP / TCP port 53 on my access list on
Outside Interface.
Clients from the Internal LAN are able to resolve names but Internet Clients
or Client on External or public LAN can not resolve DNS name, one thing i
also noticed, Hit counter for access-list entry for DNS server was 0,
although there was correct entry in translation table and there was no
typing mistake in access-list.
--
Curious
MCSE, CCNP
Mark W. Odette II wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Be sure you have the permit statement for DNS(53) applied to the outside
interface via access-list. Unless you put the DNS server in a DMZ, you
shouldn't really need access-lists applied to the inside interface IMO.
Whether or not you have a web server that is also running on the same
machine as DNS, or a mail server, you will need to make sure you put a
public address A record for said server in your DNS zone along with
however you choose to resolve the WWW/SMTP/POP3 Server on the inside
or implement the alias command on the PIX to have the PIX auto-magically
modify inside DNS requests to the public-addressed host so that you
resolve to its private address.
Caveat to the alias command though is that with it in place, you can
only use the PIX PDM in Monitor mode- PDM doesn't support Alias
statements... You'd think Cisco would change that in the next update to
the PDM. HINT HINT Cisco!!?!? :)
Hope that helps.
Mark
-Original Message-
From: Curious [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 2:06 PM
To: [EMAIL PROTECTED]
Subject: DNS Behind the firewall [7:53016]
My Company's DNS server resides on our External LAN (our Public LAN),
yesterday we move it to our Private LAN (Behind our PIX 515), and Nated
its
Public IP address with its new Private IP Address in the Firewall and
Open
Port 53.
After all that move and settings we were able to resolve domain names
from
Private LAN but not from Public Lan or Internet.
Please let me know if some one has any idea Y...?
Curious
MCSE, CCNP
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53035t=53016
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
So am I:
If the access-list is not taking any hits, the problem is not with the DNS
server.
Thanks
Larry
-Original Message-
From: mike greenberg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 4:52 PM
To: [EMAIL PROTECTED]
Subject: Re: DNS Behind the firewall [7:53016]
I am amazed at some of the responses that people posted here (not the person
who posted the original question).
1) If you are running DNS server on Microsoft Winblows, sorry I can't help
you,
2) If you running it on Unix/Linux platform, be sure to look at the
/etc/named.conf
configuration file. Make sure you change the IP address in this file to
reflect
the new Private VLAN IP. For example:
options {
directory /var/named;
listen-on port 53 { 172.17.1.254; };
};
I assume that you NATed this 172.17.1.254 to a public IP address and
allow both
TCP and UDP port 53 access to this machine (TCP for zone transfer and UDP
for
DNS querry).
Restart your named daemon. If you use Linux like I am, do service named
restart and bind will restart. Look for error in the /var/log/messages
file to check
if there are errors with named.
I have the same exact configuration that you have and it works just fine.
If you run DNS on Linux, send me your named.conf configuration and I can
help
you
Curious wrote:I am Permitting UDP / TCP port 53 on my access list on
Outside Interface. Clients from the Internal LAN are able to resolve names
but Internet Clients or Client on External or public LAN can not resolve DNS
name, one thing i also noticed, Hit counter for access-list entry for DNS
server was 0, although there was correct entry in translation table and
there was no typing mistake in access-list.
--
Curious
MCSE, CCNP
Mark W. Odette II wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Be sure you have the permit statement for DNS(53) applied to the
outside interface via access-list. Unless you put the DNS server in a
DMZ, you shouldn't really need access-lists applied to the inside
interface IMO.
Whether or not you have a web server that is also running on the same
machine as DNS, or a mail server, you will need to make sure you put a
public address A record for said server in your DNS zone along with
however you choose to resolve the WWW/SMTP/POP3 Server on the
inside or implement the alias command on the PIX to have the PIX
auto-magically modify inside DNS requests to the public-addressed host
so that you resolve to its private address.
Caveat to the alias command though is that with it in place, you can
only use the PIX PDM in Monitor mode- PDM doesn't support Alias
statements... You'd think Cisco would change that in the next update
to the PDM. HINT HINT Cisco!!?!? :)
Hope that helps.
Mark
-Original Message-
From: Curious [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 2:06 PM
To: [EMAIL PROTECTED]
Subject: DNS Behind the firewall [7:53016]
My Company's DNS server resides on our External LAN (our Public LAN),
yesterday we move it to our Private LAN (Behind our PIX 515), and
Nated its Public IP address with its new Private IP Address in the
Firewall and Open
Port 53.
After all that move and settings we were able to resolve domain names
from
Private LAN but not from Public Lan or Internet.
Please let me know if some one has any idea Y...?
Curious
MCSE, CCNP
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53040t=53016
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
As am I!
As Larry said, if the access-list is not taking any hits, the DNS server
is fine; the public address clients should be checked (maybe clear their
Arp cache or reboot them after verifying their DNS Client configuration.
My reply was based upon the fact that the OP eluded to Internet/Public
Address hosts trying to resolve hosts at his domain-dot-whatever. This
is the reason for my expounding on DNS configuration for a Single DNS
box serving both inside and outside hosts. For public address/internet
clients that need to resolve internet hosts... just configure their
workstation to point to a valid DNS Resolver host. In this case, the OP
should point his Internet Clients/Public Address clients to the PUBLIC
IP of his DNS Server or to a DNS Server on the Public Internet.
Winblows and wanna-be Winblows (ahem, Linux) works the same way for
DNS... and why would you want to allow TCP 53 if you host your own DNS.
That usually is interpreted as a security risk, unless you specify what
hosts are allowed to have copies of your zone.
-Mark
-Original Message-
From: Roberts, Larry [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 5:29 PM
To: [EMAIL PROTECTED]
Subject: RE: DNS Behind the firewall [7:53016]
So am I:
If the access-list is not taking any hits, the problem is not with the
DNS
server.
Thanks
Larry
-Original Message-
From: mike greenberg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 4:52 PM
To: [EMAIL PROTECTED]
Subject: Re: DNS Behind the firewall [7:53016]
I am amazed at some of the responses that people posted here (not the
person
who posted the original question).
1) If you are running DNS server on Microsoft Winblows, sorry I can't
help
you,
2) If you running it on Unix/Linux platform, be sure to look at the
/etc/named.conf
configuration file. Make sure you change the IP address in this file
to
reflect
the new Private VLAN IP. For example:
options {
directory /var/named;
listen-on port 53 { 172.17.1.254; };
};
I assume that you NATed this 172.17.1.254 to a public IP address and
allow both
TCP and UDP port 53 access to this machine (TCP for zone transfer and
UDP
for
DNS querry).
Restart your named daemon. If you use Linux like I am, do service
named
restart and bind will restart. Look for error in the
/var/log/messages
file to check
if there are errors with named.
I have the same exact configuration that you have and it works just
fine.
If you run DNS on Linux, send me your named.conf configuration and I
can
help
you
Curious wrote:I am Permitting UDP / TCP port 53 on my access list on
Outside Interface. Clients from the Internal LAN are able to resolve
names
but Internet Clients or Client on External or public LAN can not resolve
DNS
name, one thing i also noticed, Hit counter for access-list entry for
DNS
server was 0, although there was correct entry in translation table and
there was no typing mistake in access-list.
--
Curious
MCSE, CCNP
Mark W. Odette II wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Be sure you have the permit statement for DNS(53) applied to the
outside interface via access-list. Unless you put the DNS server in a
DMZ, you shouldn't really need access-lists applied to the inside
interface IMO.
Whether or not you have a web server that is also running on the same
machine as DNS, or a mail server, you will need to make sure you put a
public address A record for said server in your DNS zone along with
however you choose to resolve the WWW/SMTP/POP3 Server on the
inside or implement the alias command on the PIX to have the PIX
auto-magically modify inside DNS requests to the public-addressed host
so that you resolve to its private address.
Caveat to the alias command though is that with it in place, you can
only use the PIX PDM in Monitor mode- PDM doesn't support Alias
statements... You'd think Cisco would change that in the next update
to the PDM. HINT HINT Cisco!!?!? :)
Hope that helps.
Mark
-Original Message-
From: Curious [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 2:06 PM
To: [EMAIL PROTECTED]
Subject: DNS Behind the firewall [7:53016]
My Company's DNS server resides on our External LAN (our Public LAN),
yesterday we move it to our Private LAN (Behind our PIX 515), and
Nated its Public IP address with its new Private IP Address in the
Firewall and Open
Port 53.
After all that move and settings we were able to resolve domain names
from
Private LAN but not from Public Lan or Internet.
Please let me know if some one has any idea Y...?
Curious
MCSE, CCNP
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53050t=53016
--
FAQ, list archives, and subscription info: http://www.groupstudy.
