Win2K DNS + PIX

Could someone tell me what rules are required to allows DNS traffic through a PIX box?

I have to host 3 domains on a Win2K DNS server, but the PIX is currently blocking the requests.

Thanks!!
LVL 2
just1coderAsked:
Who is Participating?
 
lrmooreCommented:
>access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344) <== obviously being permitted in...
So what is not working?
What is default gateway of the DNS server? Paste result of C:\>route print
0
 
lrmooreCommented:
You have to have two things:
1. static nat translation for either the IP or port 53 (UDP) that identifies the public IP and private ip of the server
2. An access-list (or conduit) permitting udp source "any" to public ip, port 53

If you can post your PIX config, I can give you the exact commands necessary.
0
 
just1coderAuthor Commented:
the internal ip is:
192.168.1.11

the external ip is: (let's say)
10.0.0.11

10.0.0.11 is NAT'd to 192.168.1.11

I currently have

access-list 100 permit udp any host 10.0.0.11 eq 53
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
lrmooreCommented:
OK. Can you post result of
"Show access-list" and include that line. Is there anything in the (hitcount) ?
Is the acl applied? Do you have a line like:
   access-group 100 in interface outside

What is the default gateway of your DNS server? Is it 192.168.1.1 - the inside interface of the PIX?
Are you secondary DNS or Primary DNS? Do you need to do zone transfers?
You might also need to permit TCP port 53 the same way.
0
 
just1coderAuthor Commented:
yes, I have: access-group 100 in interface outside

Inside interface of the pix is 192.168.1.1

Primary DNS, no zone transfers.

access-list 100 line 38 permit tcp any host 10.0.0.11 eq domain (hitcnt=0)
access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344)
0
 
just1coderAuthor Commented:
The default GW of the DNS server is 192.168.1.1

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.40       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.40    192.168.1.40       1
     192.168.1.11  255.255.255.255        127.0.0.1       127.0.0.1       1
     192.168.1.40  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255     192.168.1.40    192.168.1.40       1
        224.0.0.0        224.0.0.0     192.168.1.40    192.168.1.40       1
  255.255.255.255  255.255.255.255     192.168.1.40    192.168.1.40       1
Default Gateway:       192.168.1.1

The DNS server fails on test querries.
0
 
lrmooreCommented:
>The DNS server fails on test querries.
Where is the testing PC physically in relation to the server? On the same internal LAN, but using the Public IP? It won't work.

Try going to http://www.dnsreport.com  and put in your domain name.

0
 
just1coderAuthor Commented:
it's failing right on the server itself. when you go into the DNS snap in, right click the server name, hit properties, and then use the monitoring tab to run test querries ... it fails... I wasn't sure if the PIX was still blocking something...

I can telnet into the DNS server from any other location to port 53 using the hostname and the ip address ...
0
 
lrmooreCommented:
If it's failing at that point (mine says 'pass'), you might have to look deeper into the server logs...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;275525

0
 
just1coderAuthor Commented:
Dah! Thought so :|
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.