DNS Behind the firewall [7:53016]
My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53016t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
Put the foward address in the DNS table From: Curious Date: 2002/09/10 Tue PM 03:05:40 EDT To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53021t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53023t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53026t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
Does your access-list look like this: Access-list 100 permit udp any host a.b.c.d eq domain Where a.b.c.d is the EXTERNAL address ? That is what I see wrong most often. Thanks Larry -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 3:41 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53032t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
O Yes! -- Curious MCSE, CCNP Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does your access-list look like this: Access-list 100 permit udp any host a.b.c.d eq domain Where a.b.c.d is the EXTERNAL address ? That is what I see wrong most often. Thanks Larry -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 3:41 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53033t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
I am amazed at some of the responses that people posted here (not the person who posted the original question). 1) If you are running DNS server on Microsoft Winblows, sorry I can't help you, 2) If you running it on Unix/Linux platform, be sure to look at the /etc/named.conf configuration file. Make sure you change the IP address in this file to reflect the new Private VLAN IP. For example: options { directory /var/named; listen-on port 53 { 172.17.1.254; }; }; I assume that you NATed this 172.17.1.254 to a public IP address and allow both TCP and UDP port 53 access to this machine (TCP for zone transfer and UDP for DNS querry). Restart your named daemon. If you use Linux like I am, do service named restart and bind will restart. Look for error in the /var/log/messages file to check if there are errors with named. I have the same exact configuration that you have and it works just fine. If you run DNS on Linux, send me your named.conf configuration and I can help you Curious wrote:I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53035t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
So am I: If the access-list is not taking any hits, the problem is not with the DNS server. Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 4:52 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am amazed at some of the responses that people posted here (not the person who posted the original question). 1) If you are running DNS server on Microsoft Winblows, sorry I can't help you, 2) If you running it on Unix/Linux platform, be sure to look at the /etc/named.conf configuration file. Make sure you change the IP address in this file to reflect the new Private VLAN IP. For example: options { directory /var/named; listen-on port 53 { 172.17.1.254; }; }; I assume that you NATed this 172.17.1.254 to a public IP address and allow both TCP and UDP port 53 access to this machine (TCP for zone transfer and UDP for DNS querry). Restart your named daemon. If you use Linux like I am, do service named restart and bind will restart. Look for error in the /var/log/messages file to check if there are errors with named. I have the same exact configuration that you have and it works just fine. If you run DNS on Linux, send me your named.conf configuration and I can help you Curious wrote:I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53040t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Behind the firewall [7:53016]
As am I! As Larry said, if the access-list is not taking any hits, the DNS server is fine; the public address clients should be checked (maybe clear their Arp cache or reboot them after verifying their DNS Client configuration. My reply was based upon the fact that the OP eluded to Internet/Public Address hosts trying to resolve hosts at his domain-dot-whatever. This is the reason for my expounding on DNS configuration for a Single DNS box serving both inside and outside hosts. For public address/internet clients that need to resolve internet hosts... just configure their workstation to point to a valid DNS Resolver host. In this case, the OP should point his Internet Clients/Public Address clients to the PUBLIC IP of his DNS Server or to a DNS Server on the Public Internet. Winblows and wanna-be Winblows (ahem, Linux) works the same way for DNS... and why would you want to allow TCP 53 if you host your own DNS. That usually is interpreted as a security risk, unless you specify what hosts are allowed to have copies of your zone. -Mark -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 5:29 PM To: [EMAIL PROTECTED] Subject: RE: DNS Behind the firewall [7:53016] So am I: If the access-list is not taking any hits, the problem is not with the DNS server. Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 4:52 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am amazed at some of the responses that people posted here (not the person who posted the original question). 1) If you are running DNS server on Microsoft Winblows, sorry I can't help you, 2) If you running it on Unix/Linux platform, be sure to look at the /etc/named.conf configuration file. Make sure you change the IP address in this file to reflect the new Private VLAN IP. For example: options { directory /var/named; listen-on port 53 { 172.17.1.254; }; }; I assume that you NATed this 172.17.1.254 to a public IP address and allow both TCP and UDP port 53 access to this machine (TCP for zone transfer and UDP for DNS querry). Restart your named daemon. If you use Linux like I am, do service named restart and bind will restart. Look for error in the /var/log/messages file to check if there are errors with named. I have the same exact configuration that you have and it works just fine. If you run DNS on Linux, send me your named.conf configuration and I can help you Curious wrote:I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP Mark W. Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Be sure you have the permit statement for DNS(53) applied to the outside interface via access-list. Unless you put the DNS server in a DMZ, you shouldn't really need access-lists applied to the inside interface IMO. Whether or not you have a web server that is also running on the same machine as DNS, or a mail server, you will need to make sure you put a public address A record for said server in your DNS zone along with however you choose to resolve the WWW/SMTP/POP3 Server on the inside or implement the alias command on the PIX to have the PIX auto-magically modify inside DNS requests to the public-addressed host so that you resolve to its private address. Caveat to the alias command though is that with it in place, you can only use the PIX PDM in Monitor mode- PDM doesn't support Alias statements... You'd think Cisco would change that in the next update to the PDM. HINT HINT Cisco!!?!? :) Hope that helps. Mark -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:06 PM To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53050t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.