Improve company productivity with a Business Account.Sign Up

x
?
Solved

Win2K DNS + PIX

Posted on 2004-09-29
10
Medium Priority
?
244 Views
Last Modified: 2013-11-16
Could someone tell me what rules are required to allows DNS traffic through a PIX box?

I have to host 3 domains on a Win2K DNS server, but the PIX is currently blocking the requests.

Thanks!!
0
Comment
Question by:just1coder
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181374
You have to have two things:
1. static nat translation for either the IP or port 53 (UDP) that identifies the public IP and private ip of the server
2. An access-list (or conduit) permitting udp source "any" to public ip, port 53

If you can post your PIX config, I can give you the exact commands necessary.
0
 
LVL 2

Author Comment

by:just1coder
ID: 12181709
the internal ip is:
192.168.1.11

the external ip is: (let's say)
10.0.0.11

10.0.0.11 is NAT'd to 192.168.1.11

I currently have

access-list 100 permit udp any host 10.0.0.11 eq 53
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181774
OK. Can you post result of
"Show access-list" and include that line. Is there anything in the (hitcount) ?
Is the acl applied? Do you have a line like:
   access-group 100 in interface outside

What is the default gateway of your DNS server? Is it 192.168.1.1 - the inside interface of the PIX?
Are you secondary DNS or Primary DNS? Do you need to do zone transfers?
You might also need to permit TCP port 53 the same way.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
LVL 2

Author Comment

by:just1coder
ID: 12181864
yes, I have: access-group 100 in interface outside

Inside interface of the pix is 192.168.1.1

Primary DNS, no zone transfers.

access-list 100 line 38 permit tcp any host 10.0.0.11 eq domain (hitcnt=0)
access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 12181972
>access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344) <== obviously being permitted in...
So what is not working?
What is default gateway of the DNS server? Paste result of C:\>route print
0
 
LVL 2

Author Comment

by:just1coder
ID: 12182354
The default GW of the DNS server is 192.168.1.1

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.40       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.40    192.168.1.40       1
     192.168.1.11  255.255.255.255        127.0.0.1       127.0.0.1       1
     192.168.1.40  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255     192.168.1.40    192.168.1.40       1
        224.0.0.0        224.0.0.0     192.168.1.40    192.168.1.40       1
  255.255.255.255  255.255.255.255     192.168.1.40    192.168.1.40       1
Default Gateway:       192.168.1.1

The DNS server fails on test querries.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12182378
>The DNS server fails on test querries.
Where is the testing PC physically in relation to the server? On the same internal LAN, but using the Public IP? It won't work.

Try going to http://www.dnsreport.com  and put in your domain name.

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184537
it's failing right on the server itself. when you go into the DNS snap in, right click the server name, hit properties, and then use the monitoring tab to run test querries ... it fails... I wasn't sure if the PIX was still blocking something...

I can telnet into the DNS server from any other location to port 53 using the hostname and the ip address ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184572
If it's failing at that point (mine says 'pass'), you might have to look deeper into the server logs...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;275525

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184598
Dah! Thought so :|
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question