Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Win2K DNS + PIX

Posted on 2004-09-29
10
Medium Priority
?
242 Views
Last Modified: 2013-11-16
Could someone tell me what rules are required to allows DNS traffic through a PIX box?

I have to host 3 domains on a Win2K DNS server, but the PIX is currently blocking the requests.

Thanks!!
0
Comment
Question by:just1coder
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181374
You have to have two things:
1. static nat translation for either the IP or port 53 (UDP) that identifies the public IP and private ip of the server
2. An access-list (or conduit) permitting udp source "any" to public ip, port 53

If you can post your PIX config, I can give you the exact commands necessary.
0
 
LVL 2

Author Comment

by:just1coder
ID: 12181709
the internal ip is:
192.168.1.11

the external ip is: (let's say)
10.0.0.11

10.0.0.11 is NAT'd to 192.168.1.11

I currently have

access-list 100 permit udp any host 10.0.0.11 eq 53
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181774
OK. Can you post result of
"Show access-list" and include that line. Is there anything in the (hitcount) ?
Is the acl applied? Do you have a line like:
   access-group 100 in interface outside

What is the default gateway of your DNS server? Is it 192.168.1.1 - the inside interface of the PIX?
Are you secondary DNS or Primary DNS? Do you need to do zone transfers?
You might also need to permit TCP port 53 the same way.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 2

Author Comment

by:just1coder
ID: 12181864
yes, I have: access-group 100 in interface outside

Inside interface of the pix is 192.168.1.1

Primary DNS, no zone transfers.

access-list 100 line 38 permit tcp any host 10.0.0.11 eq domain (hitcnt=0)
access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 12181972
>access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344) <== obviously being permitted in...
So what is not working?
What is default gateway of the DNS server? Paste result of C:\>route print
0
 
LVL 2

Author Comment

by:just1coder
ID: 12182354
The default GW of the DNS server is 192.168.1.1

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.40       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.40    192.168.1.40       1
     192.168.1.11  255.255.255.255        127.0.0.1       127.0.0.1       1
     192.168.1.40  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255     192.168.1.40    192.168.1.40       1
        224.0.0.0        224.0.0.0     192.168.1.40    192.168.1.40       1
  255.255.255.255  255.255.255.255     192.168.1.40    192.168.1.40       1
Default Gateway:       192.168.1.1

The DNS server fails on test querries.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12182378
>The DNS server fails on test querries.
Where is the testing PC physically in relation to the server? On the same internal LAN, but using the Public IP? It won't work.

Try going to http://www.dnsreport.com  and put in your domain name.

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184537
it's failing right on the server itself. when you go into the DNS snap in, right click the server name, hit properties, and then use the monitoring tab to run test querries ... it fails... I wasn't sure if the PIX was still blocking something...

I can telnet into the DNS server from any other location to port 53 using the hostname and the ip address ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184572
If it's failing at that point (mine says 'pass'), you might have to look deeper into the server logs...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;275525

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184598
Dah! Thought so :|
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question