• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1885
  • Last Modified:

Setup DNS Server on PIX Firewall Inside Interface

Hi, I am a beginner here and my english is not very good. I hope someone can help me.

I have setup 2 DNS server running Win2K3 behind a PIX-501 firewall, for my company.

Internal domain: mycompany.com

1st DNS Server name: ns1.mycompany.com
1st DNS Server Internal IP: 192.168.0.254
2nd DNS Server name: ns2.mycompany.com
2nd DNS Server Internal IP: 192.168.0.253
PIX-501 inside IP address: 192.168.0.1
PIX-501 outside IP address: 222.111.222.111


I have 2 available public IP addresses that I want to use as external IP address for the 1st and 2nd DNS server respectively. (222.111.222.112 and 222.111.222.113)

I have registered the domain name: mycompany.com and for the name server information, I put it like this:

Primary Name Server name: ns1.mycompany.com
Primary Name Server IP: 222.111.222.112
Secondary Name Server name: ns2.mycompany.com
Secondary Name Server IP: 222.111.222.113


My questions are:

(1) Can I query my name servers from the internet?

(2) How am I going to setup my Firewall so that it can change the external IP addresses of the name servers to their internal IP and vice-versa?

Thanks
0
harazy
Asked:
harazy
  • 7
  • 7
  • 2
1 Solution
 
grbladesCommented:
1) Yes you can as long as you redirect the DNS queries through the PIX.

2) Add the following configuration :-

access-group outside_in permit udp any host 222.111.222.112 eq domain
access-group outside_in permit udp any host 222.111.222.113 eq domain
access-group outside_in in interface outside
static (dmz,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0
static (dmz,outside) 222.111.222.113 192.168.0.253 netmask 255.255.255.255 0 0

If you wish to be able to do zone transfers off the DNS servers in addition to normal lookups then also add :-

access-group outside_in permit tcp any host 222.111.222.112 eq domain
access-group outside_in permit tcp any host 222.111.222.113 eq domai
0
 
Yan_westCommented:
I would not make your own DNS server accessible from the internet.  I would use your internal DNS to query external DNS, and for use in your internal network, but there is no use of making them accessible from the outside. If you want to make some webserver / mailserver accessible from your internal network, I would publish the address at your Service provider's dns server. (A or MX records) Them, configure your PIX witht these external addresse, telling it that when it receive a request, to redirect the traffic to a specific IP/Port on your network or DMZ.
0
 
Yan_westCommented:
Oh, and i'm saying this because the more you open up your network, the less security you have.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
harazyAuthor Commented:
thanks guys for your replies

grblades,

Is it 'access-group...' -or- 'access-list...'?

Is it possible to create DMZ zone in PIX-501?

Can I change the 'dmz' in
'static (dmz,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0'
to 'inside'?
0
 
harazyAuthor Commented:
Here is my PIX output (I've change the external IP)


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXX encrypted
passwd XXXXXX encrypted
hostname pix501-fwcbj01
domain-name myompany.com
clock timezone MYT 8
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list dns_server_acl permit icmp any any
access-list dns_server_acl permit tcp any host 222.111.222.113 eq www
access-list dns_server_acl permit tcp any host 222.111.222.112 eq domain
access-list dns_server_acl permit udp any host 222.111.222.112 eq domain
access-list dns_server_acl permit tcp any host 222.111.222.113 eq domain
access-list dns_server_acl permit udp any host 222.111.222.113 eq domain
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 222.111.222.111 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
...
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0
static (inside,outside) 222.111.222.113 192.168.0.253 netmask 255.255.255.255 0 0
access-group dns_server_acl in interface outside
route outside 0.0.0.0 0.0.0.0 222.111.222.110 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
ssh timeout 5
...

It is still not working. Do I have to configure something in the dns server.
FYI, My dns servers also act as domain controllers.

Thanks
0
 
grbladesCommented:
Sorry my previous post should have read:-

access-list outside_in permit udp any host 222.111.222.112 eq domain
access-list outside_in permit udp any host 222.111.222.113 eq domain
access-group outside_in in interface outside
static (dmz,outside) 222.111.222.112 192.168.0.254 netmask 255.255.255.255 0 0
static (dmz,outside) 222.111.222.113 192.168.0.253 netmask 255.255.255.255 0 0

If you wish to be able to do zone transfers off the DNS servers in addition to normal lookups then also add :-

access-list outside_in permit tcp any host 222.111.222.112 eq domain
access-list outside_in permit tcp any host 222.111.222.113 eq domain
0
 
grbladesCommented:
Technically a DMZ is a completely separate network from both the Internet and internal network so as the 501 only has 2 interfaces this cannot be done.
However as you suggested above you can change the static command and redirect the traffic to an internal machine.

As your DNS servers are domain controller I would not make them publically avilable if you can avoid it for security reasons. You could perhaps setup a Linux machine running a DNS server and have that accessible.
0
 
harazyAuthor Commented:
If I'm going to put one DNS server on the outside interface, how am I going to setup both internal & external DNS server, and what changes should I make to the pix?
0
 
grbladesCommented:
What you could do is setup an external ftp server and configure it as a secondary for your domain so that it performs zone transfers and basically keeps itself in sync with the contents of the internal DNS servers. Alternativly you could just manually configure all the records required.

If you want this machine to be able to do zone transfers then you need to replace your access list with the following and substituting the IP address of the external DNS server where it shows ext-ftp. This will just enable that machine to access your internal DNS servers.

access-list outside_in permit udp host ext-ftp host 222.111.222.112 eq domain
access-list outside_in permit tcp host ext-ftp host 222.111.222.112 eq domain
0
 
harazyAuthor Commented:
grblades, thanks for your answers so far, I've got the rough idea.

I hope you can clear me on what I'm trying to do.

Right now, I have 2 servers. One, I'm gonna make it as internal DNS server and the other one as external DNS server.

The Internal DNS server also acts as Domain Controller for 'mycompany.com' domain.

My questions are:

(1) Which one would be the primary & secondary dns server?
(2) Do each dns server host their own forward/reverse lookup zone?
(3) How do I join the external dns server to internal 'mycompany.com' domain? or
(4) Should I promote the external dns server to domain controller as well? if yes, what domain should I use for the external domain controller?

Thanks
0
 
harazyAuthor Commented:
>access-list outside_in permit udp host ext-ftp host 222.111.222.112 eq domain
>access-list outside_in permit tcp host ext-ftp host 222.111.222.112 eq domain

If I put one DNS server as external, I would use one of the public IP address (222.111.222.112 & 222.111.222.113) as the address of the external DNS server, right?

then, would the 'ext-ftp' and '222.111.222.112' be the same number?
0
 
grbladesCommented:
1) The primary would be the internal DNS server as that is the one being updated continuously as machines log onto the network.
2) The internal DNS server would normally lookup everything itself and you could add your ISP's DNS server as a forwarder. The external DNS server will only be queried so it does not matter about lookups.
3) The external server should be a standalone server with a firewall configured so that it only accepts DNS queries. It should not have any rights on the internal network.
4) No. The idea is that it should be a completely separate machine independant from the internal network.

You would need to keep 222.111.222.112 as the IP address of the internal primary DNS server. This would be configured to be publically available but the access list would ensure that the only machine capable of speaking to it would be the external DNS server.
Assuming you setup the external ftp server with IP address 222.111.222.114 then the access-list to apply would be:-

access-list outside_in permit udp host 222.111.222.114 host 222.111.222.112 eq domain
access-list outside_in permit tcp host 222.111.222.114 host 222.111.222.112 eq domain
0
 
harazyAuthor Commented:
Do I have to change 'mycompany.com' domain registration information?

domain name:     mycompany.com
nameserver1:      ns1.mycompany.com      222.111.222.112
nameserver2:      ns2.mycompany.com      222.111.222.113

Thanks, you're very helpful
0
 
grbladesCommented:
Yes you will need to remove nameserver2 and change the IP for ns1.mycompany com to 222.111.222.114
0
 
harazyAuthor Commented:
grblades,

can I use PAT on the PIX firewall and at the same time use Static NAT?
0
 
grbladesCommented:
Yes you can define static NAT entries and then have a single 'global' command listing just one IP address. All traffic between the NAT'd address uses  that external IP and everything else uses PAT to the global IP.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now