Solved

Setup DNS Server on PIX Firewall Inside Interface

Posted on 2004-08-11
16
1,875 Views
Last Modified: 2013-11-16
Hi, I am a beginner here and my english is not very good. I hope someone can help me.

I have setup 2 DNS server running Win2K3 behind a PIX-501 firewall, for my company.

Internal domain: mycompany.com

1st DNS Server name: ns1.mycompany.com
1st DNS Server Internal IP: 192.168.0.254
2nd DNS Server name: ns2.mycompany.com
2nd DNS Server Internal IP: 192.168.0.253
PIX-501 inside IP address: 192.168.0.1
PIX-501 outside IP address: 222.111.222.111


I have 2 available public IP addresses that I want to use as external IP address for the 1st and 2nd DNS server respectively. (222.111.222.112 and 222.111.222.113)

I have registered the domain name: mycompany.com and for the name server information, I put it like this:

Primary Name Server name: ns1.mycompany.com
Primary Name Server IP: 222.111.222.112
Secondary Name Server name: ns2.mycompany.com
Secondary Name Server IP: 222.111.222.113


My questions are:

(1) Can I query my name servers from the internet?

(2) How am I going to setup my Firewall so that it can change the external IP addresses of the name servers to their internal IP and vice-versa?

Thanks
0
Comment
Question by:harazy
  • 7
  • 7
  • 2
16 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11773092
1) Yes you can as long as you redirect the DNS queries through the PIX.

2) Add the following configuration :-

access-group outside_in permit udp any host 222.111.222.112 eq domain
access-group outside_in permit udp any host 222.111.222.113 eq domain
access-group outside_in in interface outside
static (dmz,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0
static (dmz,outside) 222.111.222.113 192.168.0.253 netmask 255.255.255.255 0 0

If you wish to be able to do zone transfers off the DNS servers in addition to normal lookups then also add :-

access-group outside_in permit tcp any host 222.111.222.112 eq domain
access-group outside_in permit tcp any host 222.111.222.113 eq domai
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11773117
I would not make your own DNS server accessible from the internet.  I would use your internal DNS to query external DNS, and for use in your internal network, but there is no use of making them accessible from the outside. If you want to make some webserver / mailserver accessible from your internal network, I would publish the address at your Service provider's dns server. (A or MX records) Them, configure your PIX witht these external addresse, telling it that when it receive a request, to redirect the traffic to a specific IP/Port on your network or DMZ.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11773135
Oh, and i'm saying this because the more you open up your network, the less security you have.
0
 

Author Comment

by:harazy
ID: 11781110
thanks guys for your replies

grblades,

Is it 'access-group...' -or- 'access-list...'?

Is it possible to create DMZ zone in PIX-501?

Can I change the 'dmz' in
'static (dmz,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0'
to 'inside'?
0
 

Author Comment

by:harazy
ID: 11781153
Here is my PIX output (I've change the external IP)


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXX encrypted
passwd XXXXXX encrypted
hostname pix501-fwcbj01
domain-name myompany.com
clock timezone MYT 8
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list dns_server_acl permit icmp any any
access-list dns_server_acl permit tcp any host 222.111.222.113 eq www
access-list dns_server_acl permit tcp any host 222.111.222.112 eq domain
access-list dns_server_acl permit udp any host 222.111.222.112 eq domain
access-list dns_server_acl permit tcp any host 222.111.222.113 eq domain
access-list dns_server_acl permit udp any host 222.111.222.113 eq domain
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 222.111.222.111 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
...
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0
static (inside,outside) 222.111.222.113 192.168.0.253 netmask 255.255.255.255 0 0
access-group dns_server_acl in interface outside
route outside 0.0.0.0 0.0.0.0 222.111.222.110 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
ssh timeout 5
...

It is still not working. Do I have to configure something in the dns server.
FYI, My dns servers also act as domain controllers.

Thanks
0
 
LVL 36

Expert Comment

by:grblades
ID: 11781387
Sorry my previous post should have read:-

access-list outside_in permit udp any host 222.111.222.112 eq domain
access-list outside_in permit udp any host 222.111.222.113 eq domain
access-group outside_in in interface outside
static (dmz,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0
static (dmz,outside) 222.111.222.113 192.168.0.253 netmask 255.255.255.255 0 0

If you wish to be able to do zone transfers off the DNS servers in addition to normal lookups then also add :-

access-list outside_in permit tcp any host 222.111.222.112 eq domain
access-list outside_in permit tcp any host 222.111.222.113 eq domain
0
 
LVL 36

Expert Comment

by:grblades
ID: 11781406
Technically a DMZ is a completely separate network from both the Internet and internal network so as the 501 only has 2 interfaces this cannot be done.
However as you suggested above you can change the static command and redirect the traffic to an internal machine.

As your DNS servers are domain controller I would not make them publically avilable if you can avoid it for security reasons. You could perhaps setup a Linux machine running a DNS server and have that accessible.
0
 

Author Comment

by:harazy
ID: 11827676
If I'm going to put one DNS server on the outside interface, how am I going to setup both internal & external DNS server, and what changes should I make to the pix?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 36

Expert Comment

by:grblades
ID: 11828115
What you could do is setup an external ftp server and configure it as a secondary for your domain so that it performs zone transfers and basically keeps itself in sync with the contents of the internal DNS servers. Alternativly you could just manually configure all the records required.

If you want this machine to be able to do zone transfers then you need to replace your access list with the following and substituting the IP address of the external DNS server where it shows ext-ftp. This will just enable that machine to access your internal DNS servers.

access-list outside_in permit udp host ext-ftp host 222.111.222.112 eq domain
access-list outside_in permit tcp host ext-ftp host 222.111.222.112 eq domain
0
 

Author Comment

by:harazy
ID: 11838255
grblades, thanks for your answers so far, I've got the rough idea.

I hope you can clear me on what I'm trying to do.

Right now, I have 2 servers. One, I'm gonna make it as internal DNS server and the other one as external DNS server.

The Internal DNS server also acts as Domain Controller for 'mycompany.com' domain.

My questions are:

(1) Which one would be the primary & secondary dns server?
(2) Do each dns server host their own forward/reverse lookup zone?
(3) How do I join the external dns server to internal 'mycompany.com' domain? or
(4) Should I promote the external dns server to domain controller as well? if yes, what domain should I use for the external domain controller?

Thanks
0
 

Author Comment

by:harazy
ID: 11838321
>access-list outside_in permit udp host ext-ftp host 222.111.222.112 eq domain
>access-list outside_in permit tcp host ext-ftp host 222.111.222.112 eq domain

If I put one DNS server as external, I would use one of the public IP address (222.111.222.112 & 222.111.222.113) as the address of the external DNS server, right?

then, would the 'ext-ftp' and '222.111.222.112' be the same number?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11838917
1) The primary would be the internal DNS server as that is the one being updated continuously as machines log onto the network.
2) The internal DNS server would normally lookup everything itself and you could add your ISP's DNS server as a forwarder. The external DNS server will only be queried so it does not matter about lookups.
3) The external server should be a standalone server with a firewall configured so that it only accepts DNS queries. It should not have any rights on the internal network.
4) No. The idea is that it should be a completely separate machine independant from the internal network.

You would need to keep 222.111.222.112 as the IP address of the internal primary DNS server. This would be configured to be publically available but the access list would ensure that the only machine capable of speaking to it would be the external DNS server.
Assuming you setup the external ftp server with IP address 222.111.222.114 then the access-list to apply would be:-

access-list outside_in permit udp host 222.111.222.114 host 222.111.222.112 eq domain
access-list outside_in permit tcp host 222.111.222.114 host 222.111.222.112 eq domain
0
 

Author Comment

by:harazy
ID: 11839285
Do I have to change 'mycompany.com' domain registration information?

domain name:     mycompany.com
nameserver1:      ns1.mycompany.com      222.111.222.112
nameserver2:      ns2.mycompany.com      222.111.222.113

Thanks, you're very helpful
0
 
LVL 36

Expert Comment

by:grblades
ID: 11839368
Yes you will need to remove nameserver2 and change the IP for ns1.mycompany com to 222.111.222.114
0
 

Author Comment

by:harazy
ID: 11889540
grblades,

can I use PAT on the PIX firewall and at the same time use Static NAT?
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11889953
Yes you can define static NAT entries and then have a single 'global' command listing just one IP address. All traffic between the NAT'd address uses  that external IP and everything else uses PAT to the global IP.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now