Solved

PIX and DNS Zone Xfer

Posted on 2004-04-21
6
262 Views
Last Modified: 2009-12-16
I am having trouble getting DNS Zone Xfer to pass through the Pix.  I have a primary DNS on the inside and a secondary DNS on the outside.  I want the secondary DNS to pull a new zone file (when necessary) through the pix.  Not working for me.  I have provided the relevant PIX configs:

access-list 101 remark --ALLOW DNS AND ZONE XFER--
access-list 101 permit tcp host 32.A.B.C host 32.A.B.D eq domain
access-list 101 permit udp host 32.A.B.C host 32.A.B.D eq domain

global (outside) 1 32.A.B.E
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 32.A.B.D <INTERNAL IP> netmask 255.255.255.255 0 0

The DNS is the first entry in the access-list.  There are other entries, but not pertaining to DNS.  If this is a little confusing, I need to allow an outside (untrusted) IP to request DNS from an inside (trusted) IP.  Secondly, the only communication allowed betwen the two DNS servers is DNS.  
The PIX version is 6.3(1).

Any help?

Jeffrey
0
Comment
Question by:jwi71
6 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10879677
I had the same problem long time ago and as I recall I copied the zonefile the first time manually to the seconday. Don't ask me why but after that it worked with the same configuration as you have mentioned here
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 63 total points
ID: 10883472
If you want to PULL from the secondary, you need an ACL applied to the outside interface:

source secondary DNS server, destination primary DNS server, TCP port 53.

Don't worry about UDP 53, this isn't used for zone transfers...

From what I can see you've allowed DNS out, but not back in again to the static translation ?
0
 
LVL 14

Assisted Solution

by:DonConsolio
DonConsolio earned 62 total points
ID: 10969140
If you use bind you can use the query-source directive to force bind to send queries through a specified source port.
This would allow your firewall rules to work as you expect.

e.g. server 123.123.123.123, port 53

options {
[...other options..]
    query-source address 123.123.123.123 port 53;
};
0
 
LVL 14

Expert Comment

by:DonConsolio
ID: 14136015
still does not work ?

you might also need to add:

[...]
transfer-source * port 53;
notify-source * port 53;
[...]
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 15738751
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: tim_holman{http:#10883472} & DonConsolio{http:#10969140}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now