Public DNS Servers Behind a Firewall

Posted on 2006-05-25
Last Modified: 2013-11-16
What ports need to be forwarded through a pix to be able to have dns servers on a private ip instead of a public and still work.  I have tried port 53 and it doesn't seem to be enough.  

This is probably fairly easy but it worth 500 points due to the urgency!!!!  

My dns servers are slammed with bugs from having public IPs

Question by:centrepc
    LVL 34

    Expert Comment

    What is the DNS server software? If you're using BIND, you need to configure it to use only port 53.
    LVL 57

    Expert Comment

    Umm, port 53 using what?  Normal DNS uses UDP not TCP.
    LVL 11

    Expert Comment

    port 53/UDP for standard DNS queries
    port 53/TCP for DNS zone transfers

    LVL 11

    Accepted Solution

    on the Pix set it up with a translate

    static (DMZ-1,outside) tcp DNS-externalip  53 DMZ1-IP 53 netmask 0 0

    then control it with an access list

    access-list 100 permit tcp any dns-externalip eq 53
    access-list 100 permit udp any dns-externalip eq 53

    Also ensure
    fixup protocol dns

    LVL 2

    Expert Comment

    as somebody told before 53/udp and 53/tcp should be enough
    LVL 5

    Author Comment

    Thanks to all for the quick responses.  I will try the suggestions later tonight when the server can be down for a few minutes.

    To answer a couple of your questions.

    I am running 2000 server dns.  I think when I first tried to forward port 53 it was only tcp and udp.  That may have been the problem.

    Someone told me that dns can randomly change ports that it communicates on.  Can this be even close to being true.  How would it work if there isn't a standard port.

    Thanks again for the help  
    LVL 2

    Expert Comment

    every dns query come to 53/udp port and zone tranfer comes to 53/tcp port

    maybe You  have something blocked/blackilted on Your firewall ?
    LVL 79

    Expert Comment

    Your PIX also has a dns fixup enabled. You may have to increase the default size from 512 to 1024
    unless you are a Primay DNS and have a secondary DNS outside the PIX, you should not be allowing any zone transfers - ever. All you should need is UDP/53
    How old is your PIX OS version?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now